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Abstract. A notion of open bisimulation is formulated for the spi calculus, an extension of the ir- 
calculus with cryptographic primitives. In this formulation, open bisimulation is indexed by pairs of 
symbolic traces, which represent the history of interactions between the environment with the pairs of 
| processes being checked for bisimilarity. The use of symbolic traces allows for a symbolic treatment of 

bound input in bisimulation checking which avoids quantification over input values. Open bisimilarity 
is shown to be sound with respect to testing equivalence, and futher, it is shown to be an equivalence 
relation on processes and a congruence relation on finite processes. As far as we know, this is the first 
(— i ■ formulation of open bisimulation for the spi calculus for which the congruence result is proved. 
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The spi-calculus [2] is an extension of the 7r-calculus [1011 1] with crytographic primitives. This extension 
allows one to model cryptographic protocols and, via a notion of observational equivalence, called testing 
equivalence, one can express security properties that a protocol satisfies. Testing equivalence is usually defined 
by quantifying the environment with which the processes interact: roughly, to show that two processes are 



testing equivalent, one shows that the two processes exhibit the same traces under arbitrary observers. As in 
the 7r-calculus, bisimulation techniques have been defined to check observational equivalence of processes that 
avoids quantification over all possible observers. Unlike the 7r-calculus, in order to capture security notions 
such as secrecy, bisimulation in the spi-calculus need to take into account the states of the environment (e.g., 
public networks) in its interaction with the processes being checked for equivalence. This gives rise to a more 
refined notion of equivalence of actions in the definition of bisimulation. In the 7r-calculus, to check whether 
two processes are bisimilar, one checks that an action by a process is matched by an equivalent action by 
the other process, and their continuations possess the same property. The differences between bisimulations 
for the 7r- and the spi-calculus lie in the interpretation of "equivalent actions" ; there are situations where 
equivalence of actions may be interpreted as "indistinguishable actions" , from the perspective of an observer, 
0^ . which may not be syntactically equal. 

Consider the processes P = (vx)a{{b} x ).0 and Q = (vx)a({c} x }.0. P is a process that can output on 
channel a a message b, encrypted with a fresh key x, and terminates, while Q outputs a message c encrypted 
with x on the same channel. In the standard definitions of bisimulation for the 7r-calculus, e.g., late or early 
bisimulation [10111] . these two processes are not bisimilar since they output (syntactically) distinct actions. 
In the spi-calculus, when one is concerned only with whether an intruder (in its interaction with P and Q) 
can discover the message being encrypted, the two actions by P and Q are essentially indistinguishable; the 
intruder does not have access to the key x, hence cannot access the underlying messages. 

Motivated by the above observation, different notions of bisimulation have been proposed, among others 
framed bisimulation pQ, environment-sensitive bisimulation [4], hedged bisimulation [6], etc. (see [6] for a 
review on these bisimulations). All these notions of bisimulation share a similarity in that they are all 
indexed by some sort of structure representing the "knowledge" of the environment. This structure is called 
differently from one definition to another. We shall use the rather generic term observer theory, or theory for 
short, to refer to the knowledge structure used in this paper, which is just a finite set of pairs of messages. A 
theory represents the pairs of messages that are obtained through the interaction between the environment 
(observer) and the pairs of processes in the bisimulation set. The pairs of messages in the theory represent 
equivalent messages, from the point of view of the observer. This observer theory is then used as a theory in 
a deductive system for deducing messages (or actions) equivalence. Under this theory, equivalent messages 
need not be syntactically equivalent. 

A main difficulty in bisimulation checking for spi-processes is in dealing with the input actions of the 
processes, where one needs to check that the processes are bisimilar for all equivalent pairs of input messages. 



One way of dealing with the infinite quantification is through a symbolic technique where one delays the 
instantiations of input values until they are needed. This technique has been applied to hedged bisimulation 
by Borgstrom et al.[5]. Their work on symbolic bisimulation for the spi-calculus is, however, mainly concerned 
with obtaining a sound approximation of hedged bisimulation, and less with studying meta-level properties 
of the symbolic bisimulation as an equivalence relation. Open bisimulation |12j . on the other hand, makes use 
of the symbolic handling of input values, while at the same time maintains interesting meta-level properties, 
such as being a congruence relation on processes. Open bisimulation has so far been studied for the 7r-calculus 
and its extension to the spi-calculus has not been fully understood. There is a recent attempt at formulating 
an open-style bisimulation for the spi-calculus [5], which is shown to be sound with respect to hedged 
bisimulation. However, no congruence results have been obtained for this notion of open bisimulation. We 
propose a different formulation of open bisimulation, which is inspired by hedged bisimulation. A collection of 
up-to techniques are defined, and shown to be sound. These up-to techniques can be used to finitely check the 
bisimilarity of processes in some cases and, more importantly, they are used to show that open bisimilarity 
is a congruence on finite spi-processes. The latter allows for compositional reasoning about open bisimilarity. 
As far as we know, this is the first congruence result for open bisimulation for the spi calculus. 

There are several novel features of our work that distinguish it from existing formulations of bisimulation 
of the spi calculus. Each of these is discussed briefly below. 

1.1 Sequent calculus for observer theories 

In most formulation of bisimulation for the spi calculus, the observer's capability in making logical inferences 
(e.g., deducing, from the availability of an encrypted message {M}k and a key K, the message M) is 
presented as some sort of natural deduction system. For example, suppose £ represents a set of messages 
accumulated by an observer. Let us denote with £ \- M the fact that the observer can "deduce M from £" . 
Then the capability of the observer to decrypt message can be represented as the elimination rule: 

£ h {M} K £ h K 
£\-M 

One drawback of such a representation of capability is that it is not immediately clear how proof search for 
the judgment £ h M can be done, since this would involve application of the rule in a bottom-up fashion, 
which in turn would involve "guessing" a suitable key K. 

In this paper, we use a different representation of observer's capabilities using sequent calculus. The 
sequent calculus formulation has the advantage the the rules are local, in the sense that, any proof of £ h M 
involves only subterms of £ and M . As it is well-known in proof theory and functional programming, there is 
a close correspondence betweent the two formalisms, e.g., the Curry-Howard correspondence between natural 
deduction and sequent calculus for intuitionistic logic. There is a more-or-less straightforward translation 
from elimination rules in natural deduction rules to "left-introduction" rules in sequent calculus. The latter 
means that the rules are applied to messages on the left of the turnstile h . For example, the above elimination 
rule has the corresponding left-rule in sequent calculus: 

£,{M} K ^K £,{M} k ,M,K h R 
£,{M} K hR 

For the correspondence to work, we need to show a certain transitivity property of the sequent calculus 
system, that is, if £ h M and £, M h R are provable, then so is £ h R. In proof theory, this result is often 
referred to as the cut- elimination theorem. 

Beside guaranteeing tractability of proof search, the sequent calculus formulation of observer theory, 
in particular the cut elimination theorem, turns out to be useful in establishing the metatheory of our 
formulation of open bisimulation. But we note that equivalent results can be obtained using the more 
traditional natural deduction formulation, but perhaps with some extra efforts. Recently, sequent calculus 
has been used to derive decidability results for a range of observer theories (under richer equational theories 
than that covered in this paper) in a uniform way |15j . 
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1.2 Consistency of observer theories 

A crucial part in theories of environment-sensitive bisimulation is that of the consistency of the observer 
theory. Recall that an observer theory is a set of pairs of messages, representing the history of interaction 
between the observer and the pair of processes being checked for bisimilarity. Consistency of such a theory can 
be roughly understood as the property of "indistinguishability" between the first and the second projections 
of the pairs. More precisely, whatever operations one can perform on the first projections (decrypting the 
messages, encrypting, testing for syntactic equality, etc.) can also be performed on the second projections. A 
consistent theory guarantees that the induced equality on messages (or more precisely, indistinguishability) 
satisfies the usual axioms of equality most importantly, transitivity. This in turns is used to show that 
the environment-sensitive bisimulation that are parameterized upon consistent theories is an equivalence 
relation. 

In most previous formulations of bisimulation for the spi-calculus, the definition of consistency is defined 
only on theories in a certain "reduced form" (see e.g. |H6j ). One problem with this definition of consistency 
is that the reduced form is not closed under arbitrary substitution of names. This makes it difficult to 
define the notion of consistency and reduced form for observer theories used in open bisimulation, since 
open bisimulation involves substitution of names at arbitrary stages in bisimulation checking, e.g., as in 
the original definition of open bisimulation for the 7r-calculus |12j . In this paper, we define a new notion of 
consistency for observer theories, which do not require the observer theories to be in reduced form. We then 
show that there is a finite (and decidable) characterisation of consistency of any given observer theory (see 
Section [3]) . 



1.3 Symbolic representation of observer theories 



One difficulty in formulating open bisimulation for the spi-calculus is how to ensure that open bisimilarity 
is closed under substitutions of names. Open bisimilarity for the 7r-calculus is known to be not closed 
under arbitrary situations, so it cannot be the case either for the spi-calculus. The question then is for 
what class of substitutions they are closed under. In the 7r-calculus, this class of substitutions is defined 
via a notion called distinction [12j . which constraints the identification of certain names in the processes. 
A respectful substitution, with respect to a distinction D, is any substitution that satisfies the constraint 
on the distinction of names in D. In the spi-calculus, input values can be arbitrary terms, not just names, 
therefore a simple notion of distinction would not suffice. We also have to take into account the knowledge 
that is accumulated by the environment in its interaction with processes. Consider for example the pair of 
processes P — (vk)a{{b}k).a{x).0 and Q — (vk)a{{c}k) .a(x).0 where a, b and c are pairwise distinct names. 
Intuitively, we can see that the two processes are bisimilar, since the key k is not explicitly extruded. A 
"symbolic" bisimulation game on these processes would look something like the following diagram: 



a{b} k 



a(x) 



a{c} k 

a(x) 



where we left the input value x unspecified. To show the soundness of this symbolic bisimulation, we have to 
"concretize" this symbolic set, by considering approriate instantiations of x. Obviously x cannot be substi- 
tuted by an arbitrary term, for example, it cannot be instantiated with k, since this would be inconsistent 
with the fact that k is not explicitly extruded. We also need to take into account different instantiations of 
x for the continuations of P and Q. For example, in its interaction with P, the environment does not have 
the message {c}k, so x cannot be instantiated with this term. Likewise, in its interaction with Q, it is never 
the case that x would be instantiated with {6}fc. Thus, a good notion of respectful substitutions for open 
bisimulation must respect the different knowledge of the process pairs in the bisimulation. 
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The symbolic representation of observer theories used in this paper is based on Borcalc's symbolic 
traces [3j. A symbolic trace is a compact representation of a set of traces of a process, where the input 
values are represented by parameters (which are essentially names). Associated with a symbolic trace is a 
notion of consistency, i.e., it should be possible to instantiate the symbolic trace to a set of concrete traces. 
The definition of open bisimulation in Sectionals indexed by pairs of symbolic traces, which we call bi-traces. 
A symbolic trace is essentially a list, and the position of a particular name in the list constraints its possible 
instantiations. In this sense, its position in the list enforces an implicit scoping of the name. Bi-traces are 
essentially observer theories with added structures. The notion of consistency of bi-traces is therefore based 
on the notion of consistency for observer theories, with the added constraint on the possible instantiations 
of names in the bi-traces. The latter gives rise to the notion of respectful substitutions, much like the same 
notion that appears in the definition of open bisimulation for the 7r-calculus. 

1.4 Name distinction 

A good definition of open bisimulation for the spi-calculus should naturally address the issue of name 
distinction. As in the definition of open bisimulation for the 7r-calculus, the fresh names extruded by a 
bound output action of a process should be considered distinct from all other pre-existing names. We employ 
a syntactic device to encode this distinction implicitly. We extend the language of processes with a countably 
infinite set of rigid names. Rigid names are basically constants, so they are not subject to instantiations and 
therefore cannot be identified by substitutions. Note that it is possible to formulate open bisimulation without 
the use of rigid names, at a price of an added complexity. 

Outline of the paper In Section[2]we review some notations and the operational semantics for the spi-calculus. 
We assume that the reader has some familiarity with the spi-calculus, so we will not explain in details the 
meaning of various constructs of the calculus. Section [3] presents the notion of observer theories along with 
its various properties. Section 2] defines our notion of open bisimulation, using the bi-trace structure. A 
considerable part of this section is devoted to studying properties of bi-traces. Section [5] defines several up-to 
techniques for open bisimulation. The main purpose of these techniques is to show that open bisimilarity is 
closed under parallel composition, from which we obtain the soundness of open bisimulation with respect 
to testing equivalence in Section [6l Section [7] presents some examples of reasoning about bisimulation using 
the up-to techniques. Section [5] shows that open bisimilarity is a congruence relation on finite spi-processes 
without rigid names. Section [9] concludes the paper and outlines some directions for future work. 

2 The Spi Calculus 

In this section we review the syntax and the operational semantics for the spi-calculus. We assume the 
reader has some familiarity with the spi-calculus, so we will not go into details of the meaning of operators 
of the spi-calculus. We follow the original presentation of the spi calculus as in [2], but we consider a more 
restricted language, i.e., the one with only the pairing and encryption operators. We assume a denumerable 
set of names, denoted with J\f. We use m, n, x, y, and z to range over names. In order to simplify the 
presentation of open bisimulation, we introduce another infinite set of names which we call rigid names, 
denoted with IZAf, which are assumed to be of a distinct syntactic category from names. Rigid names are 
a purely syntactic device to simplify presentation. It can be thought of as names which are created when 
restricted names in processes are extruded in their transitions. Rigid names embody a notion of distinction, 
as in open bisimulation for the 7r-calculus [12] , in the sense that they cannot be instantiated, thus cannot be 
identified with other rigid names. The motivation for having rigid names will become clear when we present 
open bisimulation in Section [4] Rigid names are ranged over by bold lower-case letters, e.g., as in a, b, c, 
etc. We use u, v, w to range over both names and rigid names. 

Messages in the spi calculus are not just names, but can be compound terms, for instance encrypted 
messages. The set of terms is given by the following grammar: 

M, N ::= x | a | (M,N) \ {M} N 
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where (M, N) denotes a pair consisting of messages M and N, and {M}^ denotes the message M encrypted 
with the key N. The set of processes is defined by the grammar: 



P,Q,R::= | M(N).P | M{x).P \ P\Q \ (vx)P 

| IP | [M = N]P | let (x, y) = M in P 
| case L of {x}n in P 

The names x and y in the restriction, the 'let' and the 'case' constructs are binding occurences. We assume 
the usual a-equivalence on process expressions. The set of terms (messages) is denoted with A4 and the set 
of processes with V. Given a syntactic expression E, e.g., a process, a set of process, pairs, etc., we write 
fn(-E) to denote the set of free names in E. Likewise, in(E) denote the set of free rigid names in E. We use 
the notation rfn(E) to denote fn(i?) U m(E). We call a process P pure if there are no free occurrences of 
rigid names in P. The set of pure processes is denoted by P p . Likewise, a message M is pure if rn(M) = 0. 
The set of pure messages is denoted by M p . 

A substitution is a mapping from names to messages. Substitutions are ranged over by 9, a and p. 
The domain of substitutions is defined as dom(#) = {x \ 0(x) ^ x}. We consider only substitutions with 
finite domains. The substitution with empty domain is denoted by e. We often enumerate the mappings of 
a substitution on its finite domain, using the notation [M\/xi, ■ ■ ■ ,M„/i„]. Substitutions are generalised 
straightforwardly to mappings between terms (processes, messages, etc.), with the usual proviso that the 
free names in the substitutions do not become bound as a result of the applications of the substitutions. 
Applications of substitutions to terms (processes or messages) are written in postfix notation, e.g., as in M9. 
Composition of two substitutions 9 and a, written (6 o a), is defined as follows: M (9 o a) = (M 9)a. Given a 
substitution 6 and a finite set of names V , we denote with 9\v the substitution which coincides with 9 on 
the set V, and is the identity map everywhere else. 

2.1 Operational semantics 

We use the operational semantics of the spi calculus as it is given in [T], with one small modification: we allow 
communication channels to be arbitrary messages, instead of just names. We do this in order to get a simpler 
formulation of open bisimulation in Section^ since we do not need to keep track of certain constraints related 
to channel names. 

The one-step transition relations are not relating processes with processes, rather processes with agents. 
The latter is presented using the notion of abstraction and concretion of processes. Abstractions are expres- 
sions of the form (x)P where P is a process and the construct (x) binds free occurences of x in P, and 
concretions are expressions of the form (vx)(M)P where M is a message and P is a process. Agents are 
ranged over by A, B and C. As with processes, we call an agent A pure if rn(yl) = 0. 

To simplify the presentation of the operational semantics, we define compositions between processes and 
agents as follows. In the definition below we assume that x $ {y} U fn(i?) and {y, z} D fn(i?) = 0. 

{vx){z)P = {z){vx)P 
R | (x)P = (x)(R | P), ifxg fn(i?) 
{vx){vy*){M)Q = {vx,y)(M)Q, if x G fn(M) 
{vx){vy){M)Q = (vy){M)(vx)Q, if x £ fn(M) 
R | (vif)(M)Q = (vy)(M)(R \ Q). 

The dual composition A \ R is defined symmetrically. 

Given an abstraction F = (x)P and a concretion (vy){M)Q, where {y} H fn(P) = 0, the interactions of 
F and C are defined as follows: 

F@C=(vy)(P[M/x] | Q) 
C@F={vy){Q | P[M/x]). 
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We define a reduction relation > on processes as follows: 



IP > P | IP 

[M = M]P > P 
let (x,y) = (M,N) in P > P[M/x][N/y] 
case {M} N of {x} N in P > P[M/x] 



M(x).P^(x)P M(N).P (N)P 



P^Uf Q^C Q^C p^Uf 

P | Q F@C P | Q C@F 

P>Q Q^A P^A 

P^A P\Q^A\Q 

Q^A P^A m£m(a) 



P | Q P | A (um)P (z/m),4 



Fig. 1. The operational semantics of the spi calculus. 

The operational semantics of the spi calculus is given in Figure [T] The action a can be either the silent 
action t, a term M, or a co-term M, where M is a term. We note that as far as the operational semantics 
is concerned, there is no distinction between a name and a rigid name; both can be used as channel names 
and as messages. 

Structural equivalence on processes is the least relation satisfying the following equations and rules 
P\0 = P, P\Q = Q\P, P\(Q\R) = (P\Q)\R, 

{vx){uy)P ee (vy)(vx)P, (vx)0 = 0, (vx)(P | Q) = P \ {vx)Q, \fx<£ fn(P), 

P> Q Q = P 

P=Q P=P P=Q 

P = Q Q = R p = p> p = p' 



P = R P\Q = P' \ Q {vm)P ee (ym)P' 

Structural equivalence extends to agents by adding the following rules: 

P ee Q P = Q, fh is a permutation of ft. 

{x)P = (x)Q {vn){M)P = {vm){M)Q 

Structurally equivalent processes are indistinguishable as far as their transitions are concerned. 

Proposition 1. If P = Q then P A implies Q -^-> B for some B such that A = B. 

Proof. By structural induction on the derivations of P = Q and P -^-> A. □ 

2.2 Testing equivalence 

In order to define testing equivalence, we first define the notion of a barb. A barb is an input or an output 
channel on which a process can communicate. We assume that barbs contain no rigid names. We denote the 

reflexive-transitive closure of the silent transition — > with — >* . 
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Definition 2. Two pure processes P and Q are said to be testing equivalent, written P ~ Q, when for every 
pure process R and every barb [3, if 

P | R P' A 

for some P' and A, then 

Q | R -A* Q' -^B 

for some Q' and B, and vice versa. 

Notice that testing equivalence is denned for pure processes only, therefore our definition of testing 
equivalence coincides with that in [SJ. 

3 Observer theory 

An observer theory is just a finite set of pairs of messages, i.e., a subset of M. x M.. The pairs of messages 
in an observer theory denote the pairs of indistinguishable messages from the observer point of view. An 
observer theory is essentially what is referred to as the frame-theory pair in frame bisimulation [T], i.e., the 
pair (fr,th) where fr is a frame, i.e., a finite set of names and th is a theory, i.e., a finite set of pairs of 
messages. The frame fr represents the names that are known to the observer or environment, whereas the 
theory part corresponds to the messages that the observer obtains through its interaction with a pair of 
processes. Here we adopt the convention that all names are known to the observer; rigid names, on the other 
hand, play the role of "private names" , which may or may not be known to the observer. Thus the "frame" 
component in our observer theory is implicit. 

Associated with an observer theory are certain proof systems representing the deductive capability of the 
observer. These proof systems allow for derivation of new knowledge from existing ones. Observer theories are 
ranged over by r and A. We often refer to an observer theory simply as a theory. Given a theory r, we write 
tti(T) to denote the set {M \ 3N.{M, N) ef}, and likewise, 7r 2 (r) to denote the set {N \ 3M.(M, N) e T}. 
The observer can encrypt and decrypt messages it has in order to either analyze or syntesize messages to 
deduce the equality of messages. This deductive capability is presented as a proof system in Figure [2j This 
proof system is a straightforward adaptation of the standard proof systems for message analysis and synthesis, 
usually presented in a natural-deduction style, e.g., as found in [3], to sequent calculus. We find sequent 
calculus a more natural setting to prove various properties of observer theories. The sequent r •— M N 
means that the messages M and N are indistinguishable in the theory r. We shall often write r h M «-» N 
to mean that the sequent r *- M <^> N is derivable using the rules in Figure [2j Notice that in the proof 
system in Figure [2j two names are indistinguishable if they are syntactically equal. This reflects the fact that 
names are entities known to the observer. 

It is useful to consider the set of messages that can be constructed by an observer in its interaction with 
a particular process. This synthesis of messages follows the inference rules given in Figure [3] The symbol 
E denotes a finite set of messages. We overload the symbols •- and h to denote, respectively, sequents and 
derivability relation of messages given a set of messages. The rules for message synthesis are just a projection 
of the rules for message equivalence. 

Lemma 3. // P h M *-> N then tti(T) h M and tt 2 (T) h N. 

A nice feature of the sequent calculus formulation is that it satisfies the so-called "sub-formula property" , 
that is, in any derivation of a judgment, every judgment in the derivation contains only subterms occuring 
in the judgment at the root of the derivation tree. This gives us immediately a bound on the depth of the 
derivation tree, hence the decidability of the proof systems. 

Proposition 4. Given any r, E, M and N, it is decidable whether the judgments r h M <-> N and EV M 
hold. 
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, r t- m m' r >- n <-> n' nr 



fuel r,(M,N) •- m <-► n r >- (M, n) (m\ n') 

r, ((Mi , Ni) , (M 2 , JV 2 } ) , (Mi , M 2 ), (JVt , JV 2 ) h M JV 



r,((Mi,Ni},(M 2 ,N 2 }) 
r - M <-> M' r-N ^N' 



Pi 



r - {M} w «-» {M'jjv 

r.dMK.jMiK) - iVi g jV 2 ^({MiK^Ma^J.CMi.Ma),^!,^) - M g TV 

r, ({Mi}^, {M 2 }jv 2 ) -M^N 

Fig. 2. Proof system for deriving message equivalence 

var id 

E >- x E,M >- M 

E h- M E h- 7V £%-_M £ N er 

E*-{M,N) E*-{M}n ^ 

E, (M, N),M,N t- R E,{M} N >-N E, {M} N , M, N >- R 

E,(M,N) - R Pl E, {M} N <- R el 

Fig. 3. Proof system for message synthesis 



el 



3.1 Properties of the entailment relations 

We examine several general properties of the entailment relation h which will be used throughout the paper. 

The following two lemmas state that the rules for <-> are invertible, under some conditions. Lemma [5] 
actually states something stronger than just invertibility; it also says that keeping the components of a 
message pair instead of the compound pair amounts to the same thing, again under a certain condition. 
This stronger statement, if coupled with the weakening lemma (Lemma [7]), trivially entails the invertibility 
of left-rules under the given condition. The proofs of the next two lemmas are straightforward by induction 
on the length of derivations. 

Lemma 5. The sequent 

r, ((Mi, JVi), (M 2 ,N 2 )) i-M^N 

is derivable if and only if 

r, (Mi, M 2 ), (N U N 2 ) *- M *-* N 
is derivable. If T, ({Mi} Ni ,{M 2 }n 2 ) hJVi« N 2) then 

r, ({M 1 } Nl ,{M 2 } N2 ) .- M ~ JV 

is derivable if and only if 

r, (Mi, M 2 ), (N U N 2 ) >- M <-> JV 

is derivable. 

Lemma 6. The judgment T >- (R, T) <-> (U, V) is derivable if and only if T *- R <-> U and fi-T^V are 
derivable. If T h T «-> V then T *- {R}t {U}v is derivable if and only if T *- R «-> U is derivable. 

The next two lemmas show that the entailment relation h for message equivalence and synthesis are 
monotonic. 

Lemma 7. If T h M ^ N then T, (R, T) I- M JV /or any (73, T). If £ h M then £,R\- M for any R. 
Lemma 8. r \- M <-> N if and only if (x, x), f H M <-> JV, /or any JT, M, JV and 
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Lemma 9. If T h M <-> TV i/ien T" 1 h N <-> M. 

The following proposition states the transitivity of the entailment relation. Readers familiar with proof 
theory will recognize its similarity to the "cut-elimination" theorem. 

Proposition 10. If T \- M <-+ N and A, (M, N) h R <-> T then r U A h 7? «-» T. 

Proof. Suppose 77j is the derivation of _T i- M <-> AT and 77 2 is the derivation of A, (M, N) t- R T. We 
show that there exists a derivation IIoiruA'-R^T. The proof is by induction on the height of 77i . 
We distinguish several cases based on the last rules in H\ . We first note that if (M, N) S A then 77 can be 
constructed directly from II2 by applying the weakening lemma (Lemma [7]). In the following we assume that 
(M, N) (£ A. 

1. Ill ends with the uar-rule. In this case, II2 is a derivation of (x,x),A 1- R «-> T. Hence, by Lemma [7] 
and Lemma [51 we have ruZ\hfl^Tas well. 

2. TTi ends with the id-rule. In this case, (M,N) 6 r, hence (M,N) e T LI A. Applying Lemma[7Jto 77 2 , 
we obtain a derivation of Z 1 U A 7? <-> T as required. 

3. Ill ends with pi: 

n[ 

r',(U,X),(V,Y)^M^N 
r',((U,V),(X,Y))^M^N P 

By the induction hypothesis, we have a derivation 77' of 

{r',(U,X),(V,Y)}uA^R^T. 

The derivation 77 is therefore obtained from 77' by applying the pl-rule to the pairs (U,X) and (V,Y). 

4. 77i ends with el: 

77 3 77 4 

r 1- <-> y r,(u,x), (v, y) m++n 



r',({u} v ,{x}Y) ■- m^/v 



eZ 



By the induction hypothesis (on 774) we have a derivation 77' of {r, (U, X), (V, Y)} U A «- 7? <-» T, and 
applying Lemma [7] to 7?3 we obtain a derivation 77g of r U A «- <-» F. The derivation 77 is then 
constructed as follows: 



^3 77' 

ru4i-y«y {r,(f/,x),(v r ,y)}uzi--i?^T 



5. 77i ends with the pr-rule: 



ruAt-R^T 



r •— Mi «-+ A^i 7" 1- M 2 AT 2 



eZ 



pr 



r»- (Mi,M 2 > <-» (7Vi,/V 2 ; 
Applying Lemma O to 77 2 , we obtain a derivation 77^ of 

A,(M 1 ,M 2 ),(N 1 ,N 2 ) ^R^T. 

The derivation 77 is then constructed by applying the induction hypothesis twice (one on 77[ and the 
other on II'{). 
6. 77i ends with the er-rule: 

77( 77(' 

r »- Mi <-> Ni rj- m 2 <-> A^ 2 
r - {Mi}m 2 {/viK 

Applying Lemma [7] to 77" and 77 2 , we obtain two derivations: 

77 3 77 4 
ruA,({Mi}M 2 ,{Ni} N2 ) >-M 2 ^N 2 and r Li A, ({Mi}m 2 , {Ni}n 2 ) •- R T. 
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Therefore, by Lemma [5J we have a derivation, say 77' of 

r U A, (Mi,Ni), (M 2 ,N 2 ) -R^T. 

The derivation 77 is then constructed by applying the induction hypothesis twice, that is, by first cutting 
77{ with 77', followed by another cut with 77". 

□ 

3.2 Consistency of observer theory 

Recall that the motivation behind the notion of message equivalence «-» is for it to replace syntactic equality 
in the definition of bisimulation. This would require that the relation <-> to satisfy certain properties, e.g., 
a uniqueness property like M <-» TV and A7 <-> TV' implies TV = TV' . Since the relation <-> is parameterised 
upon an observer theory, we shall investigate under what conditions an observer theory gives rise to a well- 
behaved relation «-> . In the literature of bisimulation for spi calculus, this notion is usually referred to as the 
consistency property of observer theories (or other structures encoding the environment's knowledge). We 
now define an abstract notion of theory consistency, based on the entailment relation h defined previously. 
We later show that this abstract notion of consistency is equivalent to a more concrete one which is finitely 
checkable. 

Definition 11. A theory r is consistent if for every M and TV, if r \~ M TV then the following hold: 

1. M and TV are of the same type of expressions, i.e., M is a pair (an encrypted message, a (rigid) name) 
if and only if TV is. 

2. If M = {Mi}m 2 and TV = {TVi}tv 2 then m(r) h A7 2 implies r h M 2 <-> TV 2 and n 2 (r) h N 2 implies 

r\-M 2 <r->N 2 . 

3. For any R, r h M <-> 7? implies R — TV and r h 7? <-> N implies R = M. 

The first condition in Definition [TT] states that the equality relation <-> respects types, i.e., it is not 
possible that an operation (pairing, encryption) on M succeeds while the same operation on N fails. The 
second condition states that both projections of the theory contain "equal" amount of knowledge, e.g., it is 
not possible that one message decrypts while the other fails to. The third condition states the unicity of <-> . 
Note that consistent theories always entail x <-> x for any name x. 

3.3 A finite characterisation of consistent theories 

The notion of consistency as defined in Definition [TT] is not obvious to check since it involves quantification 
over all equivalent pairs of messages. We show that a theory can be reduced to a certain normal form for 
which there exist finitely checkable properties that entail consistency of the original theory. For this purpose, 
we define a rewrite relation on theories. 

Definition 12. The rewrite relation — ► on observer theories is defined as follows: 

r, «A7, TV), (M', TV')) — > F, (TV7, M'), (TV, TV') 
r, ({M} N , {M'} N ,) — > r, (M, M'), (TV, TV') 

ifr,({M} N ,{M'} N ,)\-N~N'. 

A theory r is irreducible if r cannot be rewritten to any other theory, r is an irreducible form of another 
theory r' if TT is irreducible and TT' — >* TT. 

Lemma 13. If T is consistent and r h M <-> TV then TT U {(M, TV)} is consistent. 
Lemma 14. Every observer theory TT has a unigue irreducible form. 



10 



Proof. Since the rewrite system is obviously terminating, it is enough to show that it is locally confluent, 
that is, if r — > A and r — > A then there exists A such that A — >* A and A — >* A- There are no 
critical pairs in the rewrite system. We need only to verify that the side condition of the rewrite rules is not 
affected by the different sequences of rewrites, which is a simple corollary of Lemma [5] We show here one 
case involving encryption, the other cases are straightforward. Suppose we have two possible rewrites: 

r = a, ({Ri} Ti ,{R2}t 2 ), ({m 1 } Nii {m 2 } N2 ) — A, ({Ai} Ti ,lr 2 } T3 ), (m u m 2 ), (n 17 n 2 ) = a 

where r \- Ni <-> N 2 , and 

A, ({r 1 } Ti ,{r 2 }t 2 ), ({m 1 } Ni ,{m 2 } N2 ) — > A, (Ri,r 2 ), CAA), {{Mi} Ni ,{M2}n x ) = A, 

where r h Ti <-> T 2 . Let A be the theory A, (i?i, i? 2 ), (A, A), (M U M 2 ), (N u N 2 ). By Lemma El we have 
A h Ti <-> A and A I- N x <-> N 2 , and therefore 

A — > r 3 A. 

□ 

We denote the irreducible form of r with FJJ-. The irreducible form is equivalent to r, in the sense that 
they entail the same set of equality of messages. 

Lemma 15. If T — ► A then r \- M N if and only if A h M <-> iV. 

Proof. This is a simple corollary of Lemma [SJ □ 

The reduction on observer theories also preserves the set of messages entailed by their projections. 

Lemma 16. Suppose T ► A. Then for all M, ir z (r) h M if and only if n % {r') h M. 

Proof. Straightforward from the definition of reduction on theories and simple induction on the length of 
proofs on the entailment relation. □ 

An immediate consequence of the above lemma is the following. 

Lemma 17. For all M and for all A ^(A) ^ M if and only if TTi(r'Ji) h M. 

Lemma 18. If T — >* A, t/ien r is a consistent if and only if A is consistent. 

Proof. By Lemma [15] and Lemma 1161 the rewrite rule preserves derivability of equations and synthesis 
of messages in both ways. Therefore the properties of consistency in Definition [TT] are preserved by the 
reduction. □ 

Lemma 19. A theory r is consistent if and only if Pij. is consistent. 

Proof. This is a simple corollary of Lemma 1181 □ 

We are now ready to state the finite characterisation of consistent theories. 

Proposition 20. A theory r is consistent if and only if PJJ. satisfies the following conditions: if (M,N) € 
rij. then 

(a) M and N are of the same type of expressions, in particular, if M — x, for some name x, then N — x 
and vice versa, 

(b) ifM = {Mi}m 2 and N = {iVi}jv 2 then TTi(r^) \f M 2 and 7r 2 (rj|) \f N 2 . 

(c) for any (U, V) G TJJ-, U = M if and only if V = N . 
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Proof. Suppose that F is consistent. We show that r JJ- satisfies (a), (b) and (c). By Lemma \W[ r JJ- is 
consistent. The criteria (a) and (c) follows straightforwardly from Definition [TT] (1) and (3). To show (b), 
suppose that M = {Mi}m 2 andiV = {A^i}at 2 but ni(rift) h M 9 . By Definition[riT2). we have rilh M 2 <-> N 2 . 
But this entails that r ij, is reducible, contrary to the fact that J'JJ. is irreducible. Therefore it must be the 
case that 7Ti(_TJ|) \f M 2 . Using a similar argument we can show that ^(-TJJ.) 1/ N 2 . 

Now suppose that -T|L satisfies (a), (b) and (c). We show that r is consistent. By Lemma [HO it is enough 
to show that -T1! is consistent. That is, we show that whenever rift- M <-> AT, M and iV satisfy the conditions 
(1), (2) and (3) in Definition [TT1 This is proved by induction on the length of the deduction of -TJ|h M <-> AT. 
Note that since -TJ| is irreducible, the derivation FJIh M <-> A" does not make any use of left-rules. 

1. M and A~ are of the same type of expressions. This fact is easily shown by induction on the length of 
proofs of rift- M <-> N. 

2. If M = {Mi} M 3 and N = {Ni}n 2 then ni(rift) h M 2 implies TJ|h M 2 <-> A^2 and 7^(1^) h N 2 implies 
rift- A/2 <-> N 2 . We show here a proof of the first part of the conjunction; the other part is symmetric. 
The proof is by induction on the length of derivation of 4J- h M «-> AT. Note that since left-rules are 
not applicable, there are only two possible cases to consider. The first is that (M, N) G FJJ-. In this case, 
7Ti(PJJ.) 1/ M 2 , by the assumption (b) of the statement of the lemma, so the property holds vacuously. 
The other case is when the last rule of _TJ|h M <-> AT is an encryption rule: 

rjj-i- Mi <-> ATi rjL>- M 2 <-> Ar 2 

67* 

r^- {-Mi}m 2 <-► {A^i}iv 2 

The property holds trivially, since i^JJ-h M2 <-> A^2. 

3. For any i?, F-IJ-h A/ <-> i? implies R = N and rift- R <-> N implies R = M. We show only the first part 
of the conjunction; the other part is symmetric. We first note that by property (1) above, M, R and N 
must all be of the same type of expressions. The proof is by induction on the size of R: 

— R = x, for some name x. Then obviously M = N = R = x. 

— R — a, for some rigid name a. In this case, it must be the case that (M, R) £ Tij, and (M, AT) G -T-IJ-. 
Therefore, by the condition (c) in the statement of the lemma, we have R — N. 

— R — (Ri,R 2 ). In this case, M and N must also be pairs, say, (Mi,M 2 ) and (Ni,N 2 ), and the 
derivations of rift- M <-> R and rift- M <-> N must end with instances of the pr-rule. Therefore we 
have rj|h Ri ^ Mi, r^h R 2 <-> Af 2 , rjj.h Mi <-> ATi and rjj.h M 2 <-> Ar 2 . By induction hypothesis, 
we have R\ — Ni and R 2 = N 2 , therefore R = N. 

— R = {i?i}i? 2 . In this case we have that M = {Mi}m 2 and Af = {ATi}jv 2 for some Mi, M2, ATi and A^. 
There are two cases to consider here. The first is when the derivation of rift- M <-> R ends with the 
id-rule, that is, (M, R) S I n this case, we argue that (M, N) must also be in FJJ-: Suppose this 
is not the case, then rift- M <-> A" must end with the er-rule, and as a consequence, rift- M 2 <-> A^2 
and 7Ti(rift) h M2. By the property (2) above, this entails rift- M 2 <-> i?2- But this would mean that 
-TJJ. is reducible, contrary to the the fact that -TJJ. is irreducible. Hence (M, N) must also be in ri},. 
Now by the condition (c) in the assumption of the lemma, we have R = N. 

The second case is when FJJ-h M <-» i? ends with the er-rule. This case is proved straightforwardly 
by induction hypothesis. 

□ 

Finally, we show that the inverse operation on an observer theory preserves consistency. 
Lemma 21. If T is consistent then r^ 1 is also consistent. 

Proof. This follows from Lemma [9] and the definition of consistency. □ 
3.4 Closure under substitutions 

In the definition of open bisimulation in Section^ we shall consider substitutions of free names in processes 
and theories. It is crucial that open bisimulation is closed under certain substitutions in order to show that 
it is a congruence. A key technical lemma to prove this congruence property is that derivability of messages 
equivalence must be closed under a certain class of substitutions. 
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The entailment relation h is in general not closed under arbitrary substitutions, the reason being the 
inclusion of the rule 



Using this rule, we can prove, for instance, h x «-> x. Now if we substitute a for x, where a is some rigid 
name, we do not have h a «-» a, since the var-rule does not apply to rigid names. 

We first study a subset of h without the war-rule, which we call h c (for "closed" entailment relation), 
and show how this can be used to characterize the kind of substitutions required for proving closure under 
substitutions for the entailment relation K We shall often work with substitution pairs in the following 
sections. Application of a substitution pair 9 = (9±, 9 2 ) to a pair of terms (M, N) is defined to be (M9i, N9 2 ). 
This extends straightforwardly to application of substitution pairs to sets or lists of pairs. 

The proofs for the following two lemmas are straightforward by induction on the length of derivations. 

Lemma 22. Let T h M «-» N and let x\, . . . , x n be the free names in F, M and N . Then we have 

(xi,xi), (x n , x n ),r h c M <-> N. 

Lemma 23. If T h c M <-» N then for any substitution pair 9 = {9 1 ,9 2 ), T9 h c M9\ ^ N9 2 - 

Lemma 24. Let r h M «-> N and let 9 = (9i, 9 2 ) be a substitution pair such that for all x G fn{r, M, N) it 
holds that r§ h Bx{x) 9 2 (x). Then T9 h M9 1 ^ N9 2 . 

Proof. Suppose fn(P, M, N) — {xi, • • • , x n }. From Lemma we have 

(xi,X\), (x n , x n ),T h c M <-> N, 

and applying Lemma [23] we get 

(Mi, nfe), ... , (x n 9 u x n 9 2 ), T9 h c MQ X « N9 2 . 

Since h c C h, we also have 

(01 (zi), 9 2 { Xl )), (9 1 (x n ), 9 2 (x n )), T9 h MOx «-> N9 2 . 

From the assumption, we have T9 h 9\{xi) «-> 9 2 (xt), for any i G {1, . . . ,71}. Therefore, applying Proposi- 
tion [TO]?i.-times, we obtain 

T9 h M0i <-> iVfe. 

□ 

3.5 Composition of observer theories 

Definition 25. Let T\ and T 2 be observer theories. T\ is left-composable with T 2 , or equivalently, T 2 is 
right-composable with T\ , if they are of the form 

r 1 = {(M 1 ,N 1 ),---,(M k ,N k )} 

r 2 = {(N 1 ,R 1 ),---,(N k ,R k )} 
and Nx, . . . , N k are pairwise distinct messages. Their (unique) composition, denoted by T\ o T 2 , is the theory 

{(Mi,iJi),---,(Affc,i2fc)}. 

Lemma 26. Let Zi and T 2 be consistent observer theories such that Zi is left-composable with T 2 . If i~i h 
M ^ R and T 2 ^ R^> N then A o T 2 b M <-»■ i\T. 
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Proof. We prove this by induction on the length of the derivation of A b M <-> i?. 

-Base cases: If M — x then R — x and N = x, and trivially A o A b x <-> x. Otherwise (M, i?) E A- 
Since A and A are composable, there is a unique T such that (R,T) E A- By Definition HIT 3) . this means 
that T = N. Therefore we have (M, N) E A o A, hence A o A b M <-> iV. 

Inductive cases: We distinguish several cases based on the last rule in the derivation of A b Af <-> i?. 
We show here only the cases involving encryptions; the other cases follow straightforwardly from induction 
hypothesis. 



el 



Suppose the last rule is el: 

r lt -T^V A, (S, U), (T,V) *- M ■<-> R 
r{,({S} T ,{U} v )^M^R 

In this case there must be a pair ({U}v, {X}y) in A- Since A b T <-> V and 7Ti(A) = ^(A), we have 
that 711(A) I" V, and by Definition Q1J2), A b V Y, and by induction hypothesis we have 

A ° A b T «-> y. 

Since r 2 \~ R <-> N and f 2 h V ^ 7, by Lemma [5] and LemmaH we have A, (A (V, Y) h R ^ N. 
Since A is consistent and T 2 h [/ « I and A b V <-> Y, by Lemma [JJ A U {(U,X), (V, Y)} is also 
consistent. By a similar argument, we can show that A U f)) (A V)} is consistent. We can therefore 
apply the induction hypothesis to get the derivation 

A ° A, (S, X), (T, Y) b M <-> AT. 

The sequent A ° A b M «-» AT can therefore be derived as follows: 

AoA'-T^Y" A ° A, (S,X), (T,Y) *- M <r+ N 



A o A >- M <-> AT 



eZ 



where the derivations for the premise sequents are constructed as discussed above. 
— Suppose the last rule is er: 

A ' Mi <-> A A »- M 2 <-> i? 2 

67* 

A «- {M!}m 2 «-> {-Rl}fl 2 

Since A is consistent, it must be the case that AT = {A^i}at 2 for some Afi, AT 2 . Since 7ri(A) = tt2(A), 
we have 7Ti(A) b i?2, therefore by Definition [TlT 2b A b R2 <-> N2. It follows from Lemma [6] that 
A b A *-* Ni as well. We can therefore apply the induction hypothesis to obtain 

A ° A b Mi A/j and A ° A b M 2 <-> AT 2 , 

from which we derive A A b M <-> A" by an application of the er-rule. 

□ 

Lemma 27. Let A Oftd A fre consistent theories such that A is left- compos able with A- -tf A A — * 
</ien f/iere exists A and A swc/i t/iai A * s left- composable with A; A — * A'; ^2 — * A> = A' A?- 

Proof. We prove this by case analysis on the rewrite step A A — ► The case where the rewrite 
happens on paired-messages is trivial. We consider the more difficult case with encryption. Suppose A = 
A U {({R}t, {U}v)} and A = A U {({A}v, {M}jv)}, and suppose the rewrite step is 

A o A = A o A, {{R}t, {M} n ) — ► A ° A, (A M), (T, AT) = A 

where A A b T <-» AT. Since 711(A) = 7ri(A A) and 7r 2 (A) = 7r 2 (A A), we have 

7ri(A)bT and 7r 2 (A) b N. 

Since A and A are consistent, by Definition [TTT 2b together with the above two facts, we have 

A b T -m. V and A I" V <-> N. 

Therefore, 

A — ► A, (A U) , (A V) = A' and A — A, (A M) , (V, N) = A'. 
Obviously, A = A A?- □ 
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Lemma 28. Let A and A be consistent theories such that A is left-composable with A . If A o A is 
irreducible then so are A and A- 

Proof. Suppose A o A is irreducible but A is reducible. We first show that in this case A is also reducible. 
More precisely, if (M,N) 6 A is a redex of a rewrite rule, then (N,V) E A, for some V, is also a redex 
of the same rewrite rule. Note that since A and A are consistent, M,iV and V are all of the same type of 
syntactic expressions. We show here the case with encrypted redices, the other case is trivial. So suppose that 
({R} T , {U} v ) e A and ({U} v , {X} Y ) e A- Let r{ = A \ {({i?} T , {U} v )} and ^ = A\ {({£/}y, Wy)}. 
Suppose that the following rewrite rule is applied on A : 

A', ({R}t, {u} v ) — > A', to, (r, V), 

and A I- T <-> V. This entails that tti(A) b V (since tt 2 (A) = tti(A)) and by Definition QH^), r 2 I- V F, 
so A is indeed reducible. The converse, i.e., if A is reducible then A is reducible, can be proved analogously. 

Applying Lemma [2U to Pi b T <-> V and A b ^ <-> y obtained above, we have A A b T <-> y. 
Therefore we can perform the following rewrite: 

A o A = A' ° A', ({^}t, {^}y) — A' ° n, (R,x), (T,y) 

which contradicts the fact that A A is irreducible. Therefore it must be the case that both A and A are 
irreducible. □ 

Lemma 29. Let A and A be consistent theories such that A is left-composable to A- Then A JJ- is left- 
composable with A -II cind 

(A°A)|= (A^)o(A^). 

Proof. We first apply the rewrite rules to A A until it reaches its irreducible form. By Lemma[271 we have 
A and A such that (A ° A)JJ-= A ^2 and that r i — >* A' and r 2 — >* A- B Y Lemma |25] we have that 
both A and A> are irreducible, and since irreducible forms are unique, it must be the case that Pi J|= A 
and A JJ-= A 1 and therefore we have 

(A°AH= (A^)o(A^). 



□ 



Lemma 30. Let T be a consistent theory. If ni(r) b M (^{T) \- M) then there exists a unique N such 
that r\-M <->■ A (respectively, T b N M). 

Proof. By induction on the length of derivations, we can show that if ni(r) b M (^(T) b M) then there 
exists an N such that r b M ^ A (respectively, r b A <-> M). The uniqueness of A follows immediately 
from Definition QT] (3). □ 

Lemma 31. Let A a^rf A fre consistent theories such that A *s left-composable to A- -(f A A b M <-> A, 
t/ien i/iere exists a unique R such that A b M R and A b R «-> A. 

Proof. Since consistency and composability (of consistent theories) are preserved by reduction (Lemma 1191 
and Lemma [29)) . without loss of generality, we can assume that A and A are irreducible, and therefore 
A A is irreducible as well. So suppose that A A b M <-> A. Since A A is irreducible, the derivation 
of A A M *-* N does not make use of the left-rules (el and pi). R can be then constructed inductively 
by induction on the length of the derivation and its uniqueness property will follow from the consistency of 
A and A- □ 

Lemma 32. Let A and A be consistent theories such that A is left-composable to A- Then A A is 
consistent. 

Proof. We show that A A satisfies the properties of consistency defined in Definition[TTJ Suppose A A b 
M «-> A. By Lemma EU there exists a unique R such that A b M R and A b i£ <-> A. The three 
properties in Definition 1111 are proved as follows: 
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1. M and N are of the same type of expressions. This trivially holds since M, N and R are of the same 
type of expressions by the consistency of A and A • 

2. IfM = {Mi}m 2 andN = {Nx}n 2 then TT 1 (r 1 or 2 ) b M 2 implies A°A h M 2 <-> N 2 , and 7r 2 (A°A) b iV 2 
implies A A b M2 <-> A^. We show the first part of the conjunction; the other part is proved 
symmetrically. Note that R — {Rx}r 2 , for some i?i and i?2- Now assume that 7i"i(A o A) b M 2 . Then 

b M2, hence A b M2 «-» i? 2 by the consistency of A- From this, it follows that 771(12) b i?2 and 
therefore A b i?2 <-> A^ by the consistency of A- By Lemma [26l this means that A o A b Af 2 «-> Afe as 
required. 

3. For any T, A o A b Af «-> T implies T = N and A A b T <-> Af implies T = M. We show the first 
case; the other is symmetric. Suppose A A b M <-> T. By Lemma [3TJ there exists a unique {/ such 
that A b M <->■ Z7 and r 2 hl/«T, But this means ?7 = i?, by the consistency of A, and T = iV, by 
the consistency of A • 

□ 

4 Open bisimulation 

Open bisimulation for the spi-calculus to be presented in this section is similar to other environment-sensitive 
bisimulations, in the sense that it is also indexed by some structure representing the knowledge of the 
environment. A candidate for representing this knowledge is the observer theory presented earlier. However, 
since the crucial feature of open bisimulation is the symbolic representation of input values, extra structures 
need to be added to observer theories to capture dependencies between various symbolic input values at 
different stages of bisimulation checking. The notion of symbolic traces as defined in [3j conveniently captures 
this sort of dependency. Open bisimulation is indexed by pairs of a variant of symbolic traces, called bi-traces. 
The important properties we need to establish regarding bi-traces are that they can be soundly interpreted 
as observer theories, and they behave well with respect to substitutions of input values. 

In the following, we use the notation [xx, ... ,x n ] to denote a list whose elements are Xx, ■ ■ ■ ,x n . The 
empty list is denoted by []. Concatenation of a list l\ with another list l 2 is denoted with l\.l 2 , if h is 
appended to the end of l\. If l 2 is a singleton list, say [x], then we write l\.x instead of ^.[a;], likewise x.l\ 
instead of [arj.ix- 

Definition 33. An I/O pair is a pair of messages marked with i (indicating input) or o (indicating output), 
i.e., it is of the form (M,Ny or [M,N)°. A bi-trace is a list of I/O message pairs, ranged over by h. 
We denote with ttxQi) the list obtained from h by taking the first component of the pairs in h. The list 
n 2 (h) is defined analogously. Bi-traces are subject to the following restriction: if h — hx-(M,N)°.h 2 then 
fn(M,N)Cfii(hx).Ifhis 

[(M 1 ,Nx) l \...,(M k ,N k y 1 '] 
then the inverse of h, written h , is the list 

[(Nx,Mx) h ,...,(N k ,M k ) l »]. 

We write {h} to denote the set 

{(M, N) I (M,NY eh or (M,N)° G h}. 

The underlying idea in the bi-trace representation is that names are symbolic values. This explains the 
requirement that the free names of an output pair in a bi-trace must appear before the output pair. In other 
words, input values (i.e., names) are created only at input pairs. 

Given a bi-trace h, the underlying set {h} is obviously an observer theory. Application of a substitution 
pair (9i,0 2 ) to a bi-trace is defined element- wise, i.e., 

[}(0i,0 2 ) =[} 

((M, N)* .h')(6x, 2 ) = {M9x,N6 2 )*.(h'(9x,e 2 )) 

where * is either i or o. Bi-traces are essentially theories with added structures. As such, we also associate a 
notion of consistency with bi-traces. As in Boreale's symbolic traces [5], bi-traces consistency needs to take 
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into account the fact that their instantiations correspond to concrete traces. Not all instantiations of symbolic 
traces give rise to correct concrete traces. For example, the processes P = a(x) .(vk)ak .ax . has a symbolic 
trace ax.ak.ax, but instantiating x to k produces a concrete trace ak.ak.ak, which does not correspond to 
any actual trace the process P can produce, since the input x happens before k is extruded. Consistency 
conditions for bi-traces are more complicated than symbolic traces, since we need extra conditions ensuring 
the consistency of the observer theory underlying the traces. We first define a notion of respectful substi- 
tutions for bi-traces. In the following we shall write h h M <-> N, instead of a more type-correct version 
{h} h M <-> N, when we consider an equivalent pair of messages under the theory obtained from a bi-trace 
h. 

Definition 34. A substitution pair 8 = (81,62) respects a bi-trace h if whenever h — h±.(M, N) % .h,2, then 
for every x £ fn(M, N) it holds that 

h\8 h xQ\ «-> x&2- 

The requirement that every input pair be deduciblc from its predecessors in the bi-trace captures the 
dependency of the names of the input pair on their preceding input/output pairs, and thus avoids unsound 
instantiations as described above. At this point, it is instructive to examine the case where the elements of 
bi-traces are pairs of names or rigid names. Consider for example the bi-trace 

(x,x)\(a,a)^(y,2,)\(b,b)°. 

There is a respectful substitution that identifies x and y, or y with a, but there are no respectful substitutions 
that identify x with a, y with b nor a with b. Thus this bi-trace captures a restricted notion of distinction 12J. 
Rigid names encodes an implicit distinction: no two rigid names can be identified by substitutions, whereas 
the position of names encode their respective scopes. 
We now proceed to defining bi-trace consistency. 

Definition 35. We define the notion of consistent bi-traces inductively on the length of bi-traces as follows: 

1. The empty bi-trace is consistent. 

2. If h is a consistent bi-trace then h.(M,N) 1 is also a consistent bi-trace, provided that /ihM<-> N. 

3. If h is a consistent bi-trace, then h' = h.(M,N)° is a consistent bi-trace, provided that for every h- 
respectful substitution pair 8, if h8 is a consistent bi-trace then {h'8} is a consistent theory. 

Note that in item (3) in the above definition, there is a negative occurence of consistent bi-traces. But 
since this occurence is about a smaller trace, it is already defined by induction, and therefore the definition 
is still well-founded. In the same item we quantify over all respectful substitutions. This is unfortunate from 
the viewpoint of bisimulation checking but it is unavoidable if we want the notion of consistency to be closed 
under respectful substitutions. Consider the following example: let h be the bi-trace: 

(a, a)°.(b, h)°.(x, x)\({x} k , {a} k )°.({b} k , {x} k )° . 

If we drop the quantification on respectful substitutions, then this trace would be considered consistent. 
However, under the respectful substitution pair ([b/x], \b/x]), the above bi-trace will be instantiated to 

(a, a)°.(b, b)°.(b, b)\({b} k , {a} k )°.({b} k , {b} k )° 

which gives rise to an inconsistent theory. Complete finite characterisation of consistent bi-traces is left for 
future work. 

Note that for any given a bi-trace h, the empty substitution pair (e, e) is obviously an /i-respectful 
substitution. 

4.1 Properties of bi-traces 

We now look at some properties of bi-traces. Among the important ones are those that concern composition 
of bi-traces. 
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Definition 36. Composition of bi-traces. Two bi-traces can be composed if they have the same length and 
match element wise. More precisely, given two bi-traces 

h x = [(R 1 ,T 1 )P\---,(R m ,T m )P-} 

h 2 = [(tfi,Vi)«V-.,(tf„,V n )*'] 

we say hi is left-composable to h 2 (equivalently, h 2 is right-composable to h\) if and only if m = n and 
Tk = Uk and pk = qk for every k £ {1, . . . , n}. Their composition, written hi o h 2 , is 

h x oh 2 = [(RuVi) p \---,(R m ,V m r"} 

Note that there is a subtle difference between composability of bi-traces and theories. In Definition [36l we 
do not require that T x , . . . , T m (likewise, U%, . . . , U n ) are pairwise distinct messages, since their positions in 
the list determine uniquely the composition. So in general, compositions of bi-traces need not coincide with 
compositions of their underlying theories. They do coincide, however, if we restrict to consistent bi-traces. 

Lemma 37. If h — hi.h 2 is a consistent bi-trace then so is hi. 

Lemma 38. Let h be a bi-trace. If 9 — (6*1,6*2) respects h, then for every name x G fn{h), we have h9 h 
x6i <-> x9 2 . 

Proof. The proof is by induction on the length of h. The case with h = [] is trivial. We look at the other two 
cases: 

— Suppose h = h 1 .(M, N) 1 . Since 9 also respects h', by the induction hypothesis we have for every y G 
in(h'), h'9 h y6q <-» y9 2 , and by the monotonicity of h, we have h9 h y6q <-» y9 2 . For every name 
z G {n(M, N) \ in(h'), we also have h9 h z9i <-» z9 2 , since 9 respects h. Therefore for every name 
x G in(h) we indeed have h9 h x9i x9 2 . 

— Suppose h = h'.(M,N)°. By the restriction on bi-traces, it must be the case that fn(M, N) C in(h'), 
therefore fn(/i) = fn(h'). Therefore by induction hypothesis we have that for every x G fh(/i), h9 h X6*! <-» 

□ 

Lemma 39. Let = h'.(M,N) 1 be a bi-trace and let 9 — {61,62) be an h-respectful substitution. Then 
h'9 h x9\ <-> x9 2 , for every x G fn(h). 

Proof. Applying Lemma [38l to h', we have for every x G in(h'), h'9 h x6 ) i <-> x6 1 2. Now by Definition [34] we 
have ft.'^ h j;^! <-» a;6 ) 2 for every x G fn(M, iV). We therefore have covered all the free names in h. □ 

Lemma 40. Let h be a consistent bi-trace, let 9 = (9i,9 2 ) be an h-respectful substitution pair, and let 
7 = (71,72) be an h9 -respectful substitution pair. Then 9 o 7 is also an h-respectful substitution pair. 

Proof. We have to show that whenever h = hi.(M, N) 1 .h 2 , for every x G fn(M, N), (hi9)~f h (x6*i)7i «-> 
(x9 2 )j 2 . Since 9 respects h and 7 respects h9, we have that 

for every x' G fa(M,N), h x 6 h x'6»i <-> i'^, 

for every y G ^(A/^i, N9 2 ), (h\9)^ b 2/71 <-> 2/72. 
Now since x G fn(Af, N), it follows that in(x9i, x9 2 ) C fii(M0Xj N9 2 )- From Lemma l39l we have 

ftlfff h j/71 <-> 2/72 

for every y G fn(/ii6*, M6>i, N9 2 ). Therefore, we can apply Lemma [24l to get (h6)j h (a;6 ) i)7i <-> (x6 ) 2)72- □ 
Lemma 41. If h is a consistent bi-trace and 9 — (9i,9 2 ) respects h, then h9 is also a consistent bi-trace. 
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Proof. The proof is by induction on the length of h. The base case is obvious. There are two inductive cases: 
Suppose h — h'.(M, N) 1 . Since 9 respects h', by the induction hypothesis we know that h'O is consistent. We 
have to show that h'O h M9% <-> N6%. From Lemma [38l and Definition [3U it follows that for every x G fh(/i), 
h'O h x0\ «-> x6*2- Therefore by Lemma CHI we have h M#i <-> iV#2 as required. 

Suppose h = h'.(M,N)°. Since h is consistent, we have that for every /i'-respectful substitution pair 
a = ((7i,<72) (including 0), if /i'cr is a consistent bi-trace then {ha} is a consistent theory. By the induction 
hypothesis, h'a is consistent, and therefore {ha} is a consistent theory, for every respectful a. The statement 
we want to prove is the following: for every ft/0-respectful substitution pair 7 = (71,72), if {h'0)j is a 
consistent bi-trace, then {(h'O)j}. It is enough to show that #07 is an ^/-respectful substitution pair, which 
follows from Lemma l40l □ 

Lemma 42. If h is a consistent bi-trace then {h} is a consistent theory. 

Lemma 43. If h is consistent then so is h . 

Lemma 44. Let hi and h% be two consistent bi-traces such that hi is left-composable with hi. Then {hi} is 
left composable to {hi} ond {hi} o {I12} = {hi o hi}. 

Lemma 45. Let h be a consistent bi-trace. Then fn(ni(h)) = fn(ni(h)). 

The following lemma is crucial to the proof of transitivity of open bisimulation. 

Lemma 46. Let hi and hi be consistent and composable bi-traces such that hi o hi is also consistent. Let 
(0i,0i) be a substitution pair that respects hiohi. Then there exists a substitution p such that (9i,p) respects 
hi and (p,0i) respects hi. 

Proof. We construct p by induction on the length of hi o hi. At each stage of the induction, we construct a 
substitution p satisfying the statement of the lemma. In the base case, where hi o hi is the empty list, we 
take p to be the empty substitution. The inductive cases are handled as follows. 

— hi = h^.^M, N) 1 and hi = h' 2 .(N, R) 1 . By the induction hypothesis, there is a substitution p' such that 
{Oi,p') respects h[ and (p' , Oi) respects h' 2 . We will make use of the following facts: 

• h[ and h' 2 are consistent, and since (Oi,p') respects h[ and (p',0i) respects h' 2 , it follows from 
Lemma I4T1 that h'i{6i,p') and h' 2 (p',0i) are also consistent. 

. (h' 1 oh' 2 )0 = (h' 1 (Oi,p'))o(h' 2 (p',0i)). 

• (hioh'i) is consistent and therefore, by LemmaHTl (h^oh^O is consistent a bi-trace and its underlying 
theory is also consistent (Lemma |42|) . 

• Since respects hiohi, by Lemma l39l we have that for every x G fn(hi ohi), (h'i oh' 2 )6 h xOi <-> x9i. 
From these facts, and Lemma [3T1 for every x £ fh(/ii, hi), there exists a unique U such that h^(0i, p') h 
xOi U and h' 2 (p' \9i) h U x9 2 . We let f(x) denote the unique U obtained this way. Now define p as 
follows: 

(p'{x), iixeia{h'i,h' 2 ), 
p(x) = < f(x), if x G fn(/ii, hi) but x fn(/ii, h 2 ), 
I x, otherwise. 

Note that by Lemma l45l hiQi'^h'2) — fh(/ii) = fh(/i 2 ). We now show that (9i,p) respects hi and {p,9i) 
respects h 2 . 

1. (Oi,p) respects hi: Since p and p' coincide on fn(/i^), (9i,p) also respects h[. We therefore need only 
to check that h[(9i,p) h xOi <-> xp, for every x G fh(M, JV) \fn(/i' 1 ). This follows immediately from 
the construction of xp discussed above. 

2. (p,0i) respects hi: symmetric to the previous case. 

- hi = h'i.(M,N)° and h 2 = h' 2 .(N,R)°. In this case, fn(M, TV, i?) C fn(ft,i,ft, 2 )- By the induction hypoth- 
esis, we have a substitution p' such that {Oi,p') respects h[ and (p',0i) respects h' 2 . We simply define 
p = p' ■ It follows immediately from Definition [M] that (9i,p) respects hi and (p,9i) respects hi. 

a 
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Lemma 47. Let hi and hi be consistent bi-traces. Then their composition, hi o hi, if defined, is also a 
consistent bi-trace. 

Proof. By induction on the length of hi o h%. The base case is obvious. The inductive cases are handled as 
follows: 

— hi — h[.(M, N) 1 and hi = h' 2 .(N, R) 1 : By induction hypothesis h[ o h' 2 is consistent. Since hi and 
hi are consistent, we have that h\ h M N and ft 2 \~ N «-> i?, and applying Lemma 1261 we have 
ft j o h' 2 \- M ^ N. Therefore hi o hi is consistent. 

— hi — h[.(M, N)° and ft 2 = h' 2 .(N, R)°: By induction hypothesis ft^ o ft 2 is consistent. We need to show 
that for every (h'i o ft 2 )-respectful substitution pair 9 = (#1, #2), if (h[ o h' 2 )9 is a consistent bi-trace then 
{(hi o hi)9} is a consistent theory. So let us suppose that (h[ oh' 2 )0 is consistent. From Lemma H51 there 
exists a substitution p such that (6\,p) respects h[ and (p,9i) respects h' 2 . And since fn(M, TV) C tn(h[) 
and fn(iV,ii) C fn(ft 2 ), we have (81, p) respects hi and (p,9i) respects hi. Therefore, by Lemma |4"TI 
hi(9i,p) and hi(p,9i) are consistent bi-traces. Since (hi o ft 2 )# = (hi(9i,p)) o (hi(p,9 2 )), and therefore 
{(ftioft^} = {(ft] (0i . p))}o{(/i9(p. #2))} it follows from Lemmal52"lthat {(ftioft 2 )#} is indeed a consistent 
theory. 

□ 

4.2 Definition of open bisimulation 

Definition 48. A traced process pair is a triple (h, P, Q) where h is a bi-trace, P and Q are processes such 
that fn(P, Q) C fn(h). Let TZ be a set of traced process pairs. We write h h P TZ Q to denote the fact that 
(h,P,Q) £ TZ. TZ is consistent if for every ft h P 1Z Q, h is consistent. The inverse of 1Z, written TZ" 1 , is 
the set 

{(h-\Q,P) I (h,P,Q) eTZ}. 

TZ is symmetric ifTZ = TZ" 1 . 

Definition 49. A bi-trace h is called a universal bi-trace if h consists only of input-pairs of names, i.e., it 
is of the form (xi, xi) 1 . • • • .(x n , i n ) ! , where each Xi is a name. 

Definition 50. Open bisimulation. A set of traced process pairs TZ is a strong open bisimulation if TZ is 
consistent and symmetric, and if ' ft h P TZ Q then for all substitution pair 9 — (9i,9i) that respects ft, the 
following hold: 

1. If P9i P' then there exists Q' such that Q9 2 Q' and h9 V P' TZ Q' . 

2. If P9i (x)P' , where x $ fn(h9), and 7Ti(ft0) h M then there exists Q' such that Q9 2 (x)Q' and 

h9.(M,Ny.(x,xy h P' TZ Q'. 

3. If P9i (vx)(M')P', and m(h6) h M then there exist N, N' and Q' such that Q9 2 (vy)(N')Q' ', 
and 

hl(M,N)\(M'[c/x\,N'[&/y\)° h P'[5/x] TZ Q'[d/y\, 

where {c, d} n rn(h9, P9i,Q9 2 ) = 0. 

We denote with « D the union of all open bisimulations. We say that P and Q are strong open ft-bisimilar, 
written P ^ Q, if (ft, P, Q) G « e ■ They are said to be strong open bisimilar, written P ^ Q, if rn(P. Q) = 
and P ~q Q for a universal bi-trace ft. 

Notice that strong open bisimilarity ~ Q is defined on pure processes, i.e., those processes without free 
occurrences of rigid names. 

Lemma 51. The relation « is a strong open bisimulation. 



20 



5 Up-to techniques 



We define several up-to techniques for open bisimulation. The main purpose of these techniques is to prove 
congruence results for open bisimilarity, in particular, closure under parallel composition, and to prove 
soundness of open bisimilarity with respect to testing equivalence. Up-to techniques are also useful in checking 
bisimulation since in certain cases it allows one to finitely demonstrate bisimilarity of processes. The proof 
techniques used in this section derive mainly from the work of Boreale et. a!. [I]. We first need to introduce 
several notions, parallel to those in [4], and adapting their up-to techniques to open bisimulation. 

It is quite well-known that open bisimilarity is not closed under parallel composition with arbitrary 
processes, since these extra processes might introduce inconsistency into the observer theory or may reveal 
other knowledge that causes the composed processes to behave differently. For example, it can be shown that 

({a} k , {a} k )°.(a;, x) 1 h [x = aJaz.O « 0, 

since a is encrpyted with the key k which is unknown to the observer, which means that the observer cannot 
possibly feed a into the input x. Thus the match prefix in the process [x = aJax.O will evaluate to true and 
the process is stuck. However, if we put the processes in paralle with xk, the composed processes become 

[x = a]ax.O | xk and | xk. 

Both processes can output koni, leading to the bi-trace 

({a} k ,{a} k ) .(x,x)\(k,k)° 

at which point, the observer can decrypt the first output pair to get to a, and under this knowledge, 
[x = ajair.0 is no longer bisimilar to 0. 

Given the above observeration, in defining closure under parallel composition, we need to make sure that 
the processes we are composing with do not reveal or add any extra information for the observer. A way to 
do this is to restrict the composition to processes obtained by instantiating pure processes with the current 
knowledge of the observer. This is defined via a notion of equivalent substitutions, given in the following. 

Definition 52. Let h be a consistent bi-trace. Given two substitutions 6\ and 9i, we say that 6\ is h- 
equivalent to 62, written 9\ <->^ 62, if dom(9i) — dom(02) and for every x G dom(9i), we have h h x0\ <-> X62 
and fn{x9\ 1 X62) C fn(h). A substitution a extends 9, written 9 <a, if a(x) = 9(x) for every x G dom(9). 

Lemma 53. Let h be a consistent bi-trace, let 9 = (^1,^2) be an h-respectful substitution and let a\ and 02 
be substitutions such that o~\ <r+h Let a[ and o~' 2 be the following substitutions: 

a[ = (at o 9i) tdom[ai) and a' 2 = [a 2 o 9 2 ) ldom{a2 y 

Then o~[ ^ h § o~' 2 - 

Proof. We have to show that h9 h xa±9i <-> xo~29 2 , for every x G dom((r' 1 ). Since we have h h xcri £02, 
and since 9 respects h and fn(a;cri, xo~2) ^ f n (^)i by Lemma 1381 and Lemma 1241 we have h9 h xa\9\ <-> 
xa 2 92- It remains to show that bi(xai9\ 1 xo-292) Q hi(h9). But this follows immediately from the fact that 
fn(xcri, X02) Q fn(/i). □ 

Lemma 54. Let h be a consistent bi-trace and let o~\ and o~2 be substitutions such that o\ 02- Let M 
and N be messages such that fn(M, N) C dom(o~i) and rn(M, N) — 0. Then the following hold: 

1. hi- Mai <-» Ma 2 . 

2. Ma\ — Nai if and only if Ma2 — Na2 ■ 

Proof. Statement (1) is proved by induction on the size of M. Statement (2) then follows from (1) and the 
consistency of ft.. □ 
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Note that item (2) in the above lemma is a simplification of the equivalence conditions for substitutions in 
the work of Boreale et. al. [4]. In their work, processes can have boolean guards, constructed from the standard 
connectives of classical logic and equality, and they show that satisfiability of any formula is preserved under 
equivalent substitutions. 

The next lemma is crucial to the soundness of up-to parallel composition. It shows that one-step transi- 
tions for pure processes are invariant under equivalent substitutions. 

Lemma 55. Let h be a consistent bi-trace, let o~\ and a 2 be substitutions such that a± <^h o~2, and let R be 

a process such that fn(R) C dom{o~\) and rn(R) — 0. Lf Ra\ > R' then there exist o\ < a[, a 2 ^ o~' 2 , U 

and Q such that a[ <->^ a' 2 , fri(U, Q) C dom(a' 1 ), rn(U, Q) = 0, M = Ua[, R 1 = Qa[ and Ra 2 — ^ Qo~' 2 - 

Proof. The proof is by induction on the height of the derivation of the transition relation Ra\ — — » R'. Most 
cases follow straightforwardly from the induction hypothesis. The non-trivial cases are those that involve 
reductions of paired and encrypted messages. We examine the case with encryptions, the other case is treated 
similarly. 

Suppose R — case L of {x} pj in P and the transition is derived as follows: 

case Lai of {^}iv<Ti m Po~i > Pai[Lx/x] Pa%[Li/x] — > R' 
case Lcti of {x}no-i hi Po\ — > R' 

Here we assume, without loss of generality, that x is chosen to be fresh with respect to o~\ , a 2 , R and h. It must 
be the case that La± = {Li}at CTi . Now by Lemma 1541 we know that h h Na\ «-> Na 2 and h h Lai ^ La 2 . 
Therefore, by Lemma [51 La 2 must also be of the form {L 2 }]y a - 1 for some L 2 such that h h L\ <-» L 2 . Let us 
extend a\ and a 2 to the following substitutions: 

6i = <7i U {x I— > Li} and 9 2 = a 2 U {x i— ► L 2 }. 

Obviously, 0\ «-►/, #2- Therefore by induction hypothesis, there exist 9\ < 9[, 9 2 < 9' 2l U' and Q' such that 

9[ ^ h 6' 2 , U% = M, Q'9[ = R' and P6 2 ^? Q'6' 2 . We now define U and Q to be U' and Q', respectively, 
and let a[ = 9[ and a' 2 — 9' 2 . Obviously, a\ -< a[, a 2 ^ a' 2 and a[ cr^- The transition from Ra 2 is 
therefore inferred as follows: 

case La 2 of {x} at CT2 in Pa 2 > P9 2 P9 2 — > Qa' 2 
case La 2 of {x}Ar CT2 in Pa 2 Qa^ 

□ 

We need a few relations on bi-traces to describe the following up-to rules. 
Definition 56. The relations <i, < a and <f on bi-traces are defined as follows: 

(weakening) h < w h' , if h = h\.h 2 and h' — hi.(M, N)*.h 2 , where * 6 {i,o} and fn(M,N) Qfn(hx). 
(contraction) h < c h' , if h = h\.(M, N)*.h 2 and h! = h\.h 2 , where * S {i,o}, and h M <-> iV. 
(flex-rigid) h<fh', if h — hi.(c, c)°.h 2 [c/x], hi — h\.{x, x) l .h 2 , x fn{h\) and c rn(hi.h 2 ). 

The reflexive-transitive closures of < w , < c and <f are denoted, respectively, by C m , C c anc! Qf . 

If h Qf hi then hi is obtained from h by substituting certain names, say x\, . . . ,x n , in h with new rigid 
names, say, Ci, . . . , c n , and changing certain input markings to output. In this case, we denote with 9h,h' the 
substitution [cx/x\, . . . ,c n /x n ]. 

Reading from right-to- left, the above relations read as follows: The relation <„,, called weakening, remove 
an arbitrary pair from the bi-trace (hence possibly reducing the knowledge of the observer). The relation 
< c , called contraction, add a redundant pair, i.e., one which is deducible from the current knowledge, hence 
adding no extra knowledge. The relation </, called flex- rigid, replaces a variable input pair with a fresh 
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output pair of rigid names. It does not increase the knowledge of the observer, since the added pair is fresh 
value, but it does limit the possible respectful substitutions, since the fresh output pair cannot be substituted 
(they are rigid names). Thus, going from right-to- left in the relations, the knowledge of the observer does 
not increase. 

Lemma 57. Let h and h! be consistent bi-traces and let 9 — (9i,9 2 ) be a substitution pair that respects h. 
For any t £ {w, c, /}, if h C ( h' then 9 respects h! and h6 C t h'O. 

Proof. In all cases, it is obvious that either h9 Cj h'9 holds. We therefore need only to show that 9 respects 
h'. 

1. Suppose h < w h' and 9 respects h. In this case, h = hi-hi and h! = hi.(M, N)* .h 2 for some M, N, 
hi and h 2 . There are two cases to consider: one in which the weakened pair (M,N) is an input pair 
and the other when it is an output pair. The latter follows straightforwardly from the definition of 
respectful substitutions (which does not impose any requirement on output pairs) and from the fact that 
the entailment b is closed under arbitrary extensions of theories (Lemma [7]). For the former, the proof 
is by induction on the size of h 2 . 

In the base case, we have h = hi and h' = h\.{M, AT)\ We need to show that for every name x £ fn(M, N) 
we have h9 h x9\ <-> x9 2 . From the definition of < w we know that all the names in M and N are also in 
hi- And since 9 respects hi, by Lemma |38[ we have that h\9 b x9\ <-> x9 2 for every x in fa(/ii), hence 
also for every x G fh(A/, N). The inductive case follows immediately from the induction hypothesis and 
Lemma [7j 

2. Suppose h < c h' and 9 respects h. There are two cases to consider: 

— h = hi.(M, N) l .h 2 and h! = hi.h 2 . We show by induction on the length of h 2 that 9 respects h' . 
The base case, where hi = hi and h = hi.(M, N) 1 , is obvious, since 9 respects h and therefore it 
also respects h! . For the inductive cases, the only non-trivial case is when h' = hi.h' 2 .{U, V) 1 and 
h = hi.(M,Ny.h' 2 .(U,Vy. We have to show that h'9 b x6 x <-> x9 2 for every x £ fn(U,V). Since 
9 respects h and h9 is consistent, we have h\9 b M9\ <-» N9 2 and h9 b x9\ <-» x9 2 . Applying 
Proposition [TU] to these two judgments we therefore obtain h'O b x9 x <-> x9 2 as required. 

— h = hi.(M, N)° .h 2 and h' = hi.h 2 . This case is proved by induction on the length of h 2 and 
Proposition [TU1 

3. Suppose h <f h! and 9 respects h. The fact that 9 respects h! can be shown using the fact that h' and 
h are essentially equivalent modulo the injective mapping of names to fresh rigid names: for any M and 
N such that c ^ m(M,N), h' b M N if and only if h b M[c/x] <-> N[c/x). This can be shown by a 
simple induction on the height of the derivation of the equality. 

□ 

Lemma 58. Let h and h! be consistent bi-traces and let h" be a bi-trace such that h.h" is consistent. Then 
the following statements hold: 

1. If h' C w h and h! b M <-» N for every (M,N) 1 in h" , then then h'.h" is consistent. 

2. If h' rz c h then h'.h" is consistent. 

3. Ifh'Qfh then h' .(h"Qh\h) * s consistent. 

Proof. It is sufficient to show the properties hold for the relations <„,, < c and <f . In most cases, the proof 
follows from inductive arguments, Proposition [THl Lemma [JJ and Lemma [571 

1. Suppose h' < w h. We show by induction on the size of h" that h'.h" is consistent. The base case is 
obvious. The inductive cases: 

— h" = hi.(U,Vy. We need to show that h'.h" b U <-> V. But this follows from the assumption that 
h' b U ^ V. 

— h" — hi.(U,V)°. We need to show that for every substitution pair 9 = (9i,9 2 ) that respects h' '.hi, 
the theory {h'9.h"9} is consistent. From Lemma [571 $ also respects h.hi, therefore by the consistency 
of h.h", the theory {h9.h"9} is consistent, which means that any of its subset is also a consistent 
theory. Since {h'9.h"9} C {h9.h"9} we therefore have that {h'9.h"9} is consistent. 
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2. Suppose hi < c h. We show that h'.h" is consistent by induction on the size of h" . We first note that in 
this case h and hi are equivalent (as theories), as a consequence of Proposition [TOl and Lemma [71 That 
is, h h M «-> N if and only if hi h M <-> AT, for any M and N. The consistency of then follows 
straightforwardly from this equivalence, Definition [551 Lemma 1571 and induction hypotheses. 

3. Suppose hi <f h, where hi = hi.(c,c)° .h 2 ([c/ x\,[c/ x\) and h — h\.{x, x) l .h 2 . To show the consistency 
of h'.h"[c/x] we make use of the fact that hi h M[c/x] <-> A^c/cc] if and only if h h M <->■ JV. That is, /i 
and ft' are indistinguishable as theories. The consistency proof then proceeds as in the previous case. 

□ 

We are now ready to define the up-to techniques. 

Definition 59. Given a set of consistent traced process pairs TZ, define TZt, for t 6 {=, w, c, s, i, /, r,p}, as 
the least relations containing 1Z which satisfy the following rules: 

1. up to structural equivalence: 

P = P',Q = Q' and hV P' K Q' 

hVPK=Q = 

2. up to weakening: 

h\- P 1Z Q, hi C w h and hi is consistent 

; W 

h'VPlZ w Q 

3. up to contraction: 

h h P 1Z Q , h! C c h and h' is consistent 
h'V P1Z C Q ° 

4- up to substitutions: 

h\- P 7Z Q and 6 — (6\, 62) respects h 
s 

he h POx 1Z S Q6 2 

5. up to injective renaming of rigid names: 

h \- P 1Z Q, p\ and p 2 are injective renaming on rigid names 

% 

h(p!,p 2 ) h Ppi IZi Qp 2 

6. up to flex-rigid reversal of names: 

h h P 1Z Q, hi Q f h 
h' h P9h',h TZ f Q9 h ,, h f 

7. up to restriction: 

h h P[c/x] TZ Q[d/y\, {c} n rn{-Ki{h),P) = 0, 
{d}n rn(ir 2 (h),Q) = 0, {x,y\ n fn(h) = 
h h (vx)P TZ r {vy)Q 

8. up to parallel composition: 

h\- P TZ Q, hi is consistent, h! C c h, o~\ a 2 , 
fn(R) C dom{o- x ), rn(R) = 0, A = (P \ Rax) and B = (Q Ra 2 ). 

hlY- AKp B P 

Strong open bisimulation up to structural equivalence is defined similarly to Definition \5Ul except that 
we replace the relation TZ in items (1), (2) and (3) in Definition 1501 with TZ=. Strong open bisimulation 
up to weakening, contraction, substitutions, injective renaming, flex-rigid reversal, restrictions and parallel 
composition are defined analogously. 



24 



In those rules that concern weakening, contraction and hex-rigid reversal of names, the observer knowledge 
in the premise is always equal or greater than its knowledge in the conclusion. In other words, if the observer 
cannot distinguish two processes using its current knowledge, it cannot do so either in a reduced knowledge. 
In the rule for parallel composition, we allow only processes that can introduce no extra information to the 
observer. Notice that in the rule, we need to "contract" the bi-trace h, since we would like to allow Roi 
to contain new names not already in h. This does not jeopardize the no-new-knowledge condition, since 
names are by default known to observers anyway. This flexibility of allowing new names into Ro~i will play 
a (technical) role in showing that the soundness of bisimulation up to parallel composition. 

Lemma 60. IfTZ is an open bisimulation, then TZ is also an open bisimulation up to structural equivalence 
(respectively, weakening, contraction, etc.) 

Proof. This follows immediately from the fact that TZ C TZ= (respectively, 1Z W , etc.). □ 

Lemma 61. Let TZ be a set of consistent traced process pairs. Then {TZt)t = TZt, for any t 6 {=, w, c, s, i, f, r,p}. 

The following lemma states that equivalent substitutions are preserved under bi-trace extensions. 

Lemma 62. Let h and h' be consistent traces such that h is a prefix of h' . Let o~\ and o~ 2 be substitutions 
such that o\ «-►/, a<x. Then o\ o~ 2 . 

The notions of bisimulation and bisimulation up-to are special cases of the so called progressions in [13j . 
We shall use the techniques in [T3], adapted to the spi-calculus setting by Boreale et.al.0], to show that 
the open bisimulation relations up-to the closure rules in Definition are sound. We first recall some basic 
notions and results concerning progressions from 13J. 

Definition 63. Given two symmetric and consistent sets of traced process pairs TZ and S, we say TZ pro- 
gresses to S, written TZ ~» S, if h b P TZ Q then for all substitution pair 6 = (0i,9 2 ) that respects h, the 
following hold: 

1. If PQi P' then there exists Q' such that Q9 2 Q' and h6\- P' S Q'. 

2. If P9\ (x)P', where x $ fn(h9), and ir\(hQ) b M then there exists Q' such that Q9 2 — — * (x)Q' and 

hd.(M,N) l .{x,x) 1 b P' S Q'. 

3. IfPOi (ux){M')P', and m(h9) b M then there exist N, N' and Q' such that Q6 2 (uy){N')Q', 
and 

h6.(M,Ny.(M'[5/af\,N'[d/tf\)° b P'[c/x] S Q'[d/y\, 
where {c, d} n rn(h9, Pdi,Q6 2 ) = 0. 

A function T on relations is sound with respect to ~ if 72. — * J~{TZ) implies TZ C f» G . T is respectful if 
for every TZ and S such that TZ C S and TZ ~* S, T(TZ) ~> F{S) holds. We recall some results of jT3] regarding 
respectful functions: respectful functions are sound, and moreover, compositions of respectful functions yield 
respectful functions (hence, sound functions). Each rule t in Definition 1591 induces a function on relations, 
which we denote here with the notation (.) t . We now proceed to showing that the functions induced by the 
rules in Definition l59l are sound. We use the notation (.) tl ... tri to denote the composition (• • • ((■)t 1 )t 2 1 ' ')*»• 

Lemma 64. The function (.) t for any t 6 {=, w, c, s, i, /, ri} is respectful. 

Proof. Suppose that TZ C S. It is easy to see that by definition, TZt Q St- Moreover, (TZt)t = TZt for any 
t and TZ. It remains to show that if TZ ~> S then TZt <St- The cases with structural equivalence and 
injective renaming follow straightforwardly from the fact that both preserve one-step transitions. The case 
with substitutions follows straightforwardly from the fact that compositions of respectful substitutions yield 
respectful substitutions ( Lemma [40]) . 

The cases where t € {w, c, /} are handled uniformly, following results from Lemma 1571 and Lemma 1581 
We look at a particular step in the weakening case; the rest can be dealt with in a similar fashion. So let us 
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suppose that h\- P TZ W Q and 9 — (61,62) respects h. The case where (h,P,Q) 6 TZ is trivial, so we look 
at the other case, where h is obtained by a weakening step, i.e., h Q w h' and b! h P TZ Q. From Lemma [57] 
we know that 6 respects h' as well. Now suppose P6\ - J ^> (vc](U)P' and ni(h6) h M (hence, ni(h'd) h M). 
Since TZ~^> S, there exist AT, Q', cfand V such that -^-> (i/cT)(V)Q' and 

h/0.(M, AT)\(£f, V)° hP'5 Q'. 

We need to show that hd.(M, N) 1 .(U, V)° h P' iS w Q'. We can do this by applying another weakening step to 
h'6.(M, N)\(U, V)° h P' S Q'. To be able do this, we first have to show that the bi-trace h9.(M, N)\(U, V)° 
is consistent and is a weakening of h'9.(M, Ny.(U, V)°. The latter is obvious. For the former, we note that 
since ir±(hd) h M, by the consistency of h9, it must be the case that h8 h M «-> M' for a unique M'. Now 
since {h9} is a subset of {h'8}, it must be the case that h'Q hMn M', and by the consistency of h'9, this 
means that M' = N. In short, we have just shown that h9 h M <-> JV, therefore we can apply Lemma |5"81 to 
get the consistency of h6.(M, N) l .(U, V)°. We can apply the weakening step to get to 

/i(9.(M, AO l .(C/, V)" h P' 5 W Q'. 

For the case with (.)„, we first show that if TZ^ S then lZ r ~> <S r j, which is straightforward. The need 
for the injective renaming appears when we consider the output transitions, where the choice of extruded 
rigid names can vary. Since we already know that (.)j is respectful, we have TZ„ ~> S r a. But since S r a = S r i, 
we also have lZ r i ~> as required. □ 

In the following, we use the notation (s, i)*, where * is either an i or an o, s = Si, • • • , s n , and t = ti, • ■ • ,t n , 
to denote the bi-trace (si,ti)*. ■ ■ ■ .(s n ,t n )*. 

Proposition 65. Let TZ be an open bisimulation up to structural equivalence (respectively, weakening, con- 
traction, etc.). Then TZ C TZ= C w Q (respectively, KCK(C « , /or t 6 {to, c, s, i, /, r,^}^. 

Proof. In all cases, 7£ C 7?. t by definition, so it remains to show Kt C «„ . The case where i G {=, u>, c, s, i, /} 
follows immediately from Lemma [64] and the fact that respectful functions are sound. For the case with 
restriction, we first note that since TZ is an open bisimulation up to restriction, we have TZ ^ TZ r . Since 
TZ C TZ r , it thus follows from Lemma [641 that TZ r i ~> TZ rr i. Since ' }^ ri pi"i — T^ri 1 this means that TZ„ is an open 
bisimulation and TZ r i C w Q . But since we also have 7\L r C w as required. 

We now look at the case with parallel composition. Given that TZ is an open bisimulation up-to parallel 
composition, we show that TZ P is an open bisimulation up-to substitutions, flex-rigid reversal, weakening, 
injective renaming, restriction and structural equivalence. Since all these up-to bisimulations have been shown 
to be respectful and sound, any of their compositions is also sound, and by showing their inclusion of TZ P we 
show that TZ P is included in ss as well. 

Let us suppose that we are given h, h! , P, Q, R, o~i and o~2 as specified in the rule for "up to parallel 
composition" in Definition [59] Given h! h A TZ P B and a subsitution pair 9 = (61^62) that respects h', we 
examine all the possible transitions from A and show that each of these transitions can be matched by B 
and their continuations are in TZ ps f w ( r i)=. We note that the relation TZ p p, where t is a list obtained from 
sfw(ri) = by removing one or more function, is contained in TZ ps f w ( ri j=. For example, TZ v ft r i) is included 
in TZ ps f w ( r i)=. In the following we assume a given substitution pair 9 = (^1,^2) which respects h! . Also, we 
denote with pi and P2 the following substitution: 

Pi = (^i°0l) r dom( CTl ) and Pi = (^ o9 ^\dom(a 2 )- 

1. Suppose A9i — A' and the transition is driven by P81, that is, P&i P' and A' = (P' | Rpi) (note 
that Ro~i9i — Rpi by definition). Since h h P TZ Q, TZ is a bisimulation up to parallel composition, and 
9 respects h (Lemma l57j). we have Q92 — ^> Q' for some Q' such that h9 h P' TZ P Q'. By Lemma [BT] 
(TZ P ) P — TZ P , by Lemma [551 pi *^ h g P2, and since ft/0 C c it follows from Lemma [6^1 that pi ^> h i§ P2- 
We can therefore apply the up-to-parallel-composition rule to get 

h'9 h (P' I Ppi) ^ p (Q' I Rp 2 ) 
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and 

h'9 h A' K p = B' 

for any B' = (Q' \ Rp 2 ). 

2. Suppose AO i — — ► {x)A' , where ni(h'9) h M, and the transition is driven by P6\, that is, P9\ — — ► (x)P' 
and A' = (P' \ Rp\). Note that since we assume processes (and agents) modulo a-equivalence, we can 
assume that x is chosen to be "fresh" with respect to the free names in the bi-traces, substitutions and 
processes being considered. We first have to show that it\{hff) h M as well; but this is straightforward 
from the fact that h'9 is a conservative extension of h6. By similar reasoning to the previous case, we 
have Q9 2 (x)Q' for some N and Q' such that h9.(M, N) l .(x, x) % h P' K P Q' . Since h'hM <-> N and 
h'9 C c we have 

h'9.(M, N)\(x, xf C c h9.(M, N)\(x, xf = hi 

and therefore by Lemma 1621 we have p\ <->/ ll p2- From Lemma 1581 it follows that h\ is consistent. 
This means we can apply the up-to-parallel-composition rule to h9 .(M ', N) 1 .{x , x) 1 h P' 1Z P Q' to get 
/ii h (P' | P p (Q' | Pp 2 ) and therefore 

hi h A' ft p = P' 

for any P' = (Q' | Rp 2 ). 

3. Suppose yl^i — — > (i/x)(M').A' and the transition is driven by P#i, that is P#i — > (yx){M')P' and 
A' = (P' | R Pl ). Then Q(9 2 (vy){N')Q' (therefore, B {vy){N'){Q' \ Rp 2 )) and 

/i0.(M, Ar) l .(M'[c/f],7V'[d/y])° h P' ft p Q'. 

Let /ii be the bi-trace h'9.(M, N) l .(M'[c/x\, N'[d/y\)°. By Lemma[58l /ii is a consistent bi-trace and 

/i! C ftfl.(M,iV) i .(M'[c/5],JV'[d/^|) . 

Since /i# C /ii, it follows from Lemma 1621 that p\ ++h\ Pi- We can now apply the up-to-parallel- 
composition rule to get 

hi h (P' | Ppi) n p (Q' | P/92) 

and therefore 

h-L h A' ft p = P' 

for any P' = (Q' \ Rp 2 ). 

4. Suppose A9\ — > A' and the transition is driven by Ppi, i.e., Rp\ — — » P', and A' = (P#i | P'). Then 
there exists an U, p[ and p 2 sucn that p\ -< p' x , p 2 -< p' 2 , p' x ^ h ,g p' 2 , R' = Up[ and Rp 2 — U p' 2 . Let U' 
be a renaming of U, i.e., U' — Up for a renaming substitution p, such that fn(P') n fn(h') = 0. Define 
the substitutions Si and (5 2 as follows: 

<*l = P'i) r fn((7') and *2 = (P^ 1 ° P2) r fn(c/') 

We note that since p\ *-> h ,g p' 2 , we have Si ++ h ,a S 2 . Moreover, U'8\ = Up[ and U'S 2 — Up' 2 . Let 
x = xi, ■ ■ ■ , x n be the free names in U' . Then by the definition of 1Z P we have 

h'.(x,x) 1 h (P I U') K P (Q I U'). 

Now let us define 71 and 7 2 as follows: 

7 X = 9\ o Si and 7 2 = 9 2 o <5 2 - 

It is easy to see that 7 = (71,72) respects h'.(x,x) 1 . We can therefore apply the substitution rule to get 

/i'7.(xi7i,xi72) J .---.(a; n 7i,a ; „72)' i h (P71 | P'71) Kpa {Ql2 \ U'j 2 ). 
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Now since h'j = h'9 and £11(0^71, 2^72) C fn(/i'0), we can apply the weakening rule to get 

h'fh (P71 I U' 7l ) K psw (Q 72 I U' l2 ) 
which is syntactically equivalent to 

tiev- {P6 X 1 u P [) n psw (Q9 2 1 u P ' 2 ). 

We then apply the congruence rule to get 

h'6 V- A' TZ psw = B' 

for any B' = {Q9 2 \Up' 2 ). 

5. Suppose A9\ — > {x)A' and the transition is driven by Rpi, i.e., Rp\ — > (x)R and A' = {P6\ \ R') 
(again, here we assume that x is chosen to be sufficiently fresh) . Then there exist p[ , p' 2 ,T and U such that 

Pi d Pi, P2 d P 2 , Pi ^hiS P 2 i Tp[ = M and Up[ — R' and Rp 2 ^> (x)U p' 2 . In the following discussion, 
we assume that the free names of T and U are distinct from fn(h'), and that dom(p' 1 ) n in(h') = 0. This 
is not a real restriction since we can use composition with a renaming substitution in the same way as 
in the previous case to avoid name clashes. 

Let y = yi, ■ ■ ■ ,y n be the free names in T and U. Let hi = h'.(y, y) l .(T, T) l .(x, x) 1 . Since T contains no 
free rigid names, by Lemma 1541 we have h! V T <-> T, hence hi is consistent and hi C c h. Therefore by 
the definition of 1Z P , we have 

h'.(y,y)\(T,T)\(x.xY h (P | U) U p (Q \ U). 

Define 71 and 72 as 9\ o p[ and 9 2 o p' 2 . Clearly 7 = (71,72) respects h\. Therefore, we can apply the 
substitution rule, with 7, to get 

til(yip[,yip' 2 )\---.(y n p[,y n p' 2 y.(Tp[,Tp 2 )\(x,xy h {P6 X \ Up[) K ps (Q9 2 \ Up' 2 ). 

Recall that p' x ^-> h ,g p' 2 , therefore fn(yiPi, yiP 2 ) C fn(ft/#), hence they can be weakened away: 

h'liTp'^Tp'^^xf h {P9i I Up'i) Tl psw (Q9 2 I Up' 2 ). 

Finally, we apply the structural equivalence rule to get 

til{T f f l ,Tft i ) i .{x,x) i V- A' K psw ^ B' 

where B' = {Q9 2 \Up' 2 ). 

6. Suppose A61 — > (px)(K)A', and the transition is driven by Rpi, i.e., Rpi {vx){K)R' and A' = 
{vx){K){P0i I R'), where Then there exist p[, p 2 , T, L and U such that pi d 

P2 d p' 2 i Pi ^h'S P2, Tp[ — M, Lp[ = K, Up'i = R' and Rp 2 [vx)(Lp' 2 )U p' 2 . As in the previous 
case, we assume, without loss of generality, that the free names of T, L, U and the domain of p' x and p' 2 
are all distinct from fn(h'). 

Let y = yi, ■ ■ ■ ,y n be the free names of T and L. Let fti = ft.'.(y, y) l -(T, T) l .(x, x) l .{L, L)°. Since T and L 
contain no free rigid names, we have h' h T <-> T and h'.(x, x) 1 h L <-*■ L. Therefore /ii is consistent and 
/ii C c ft,. Let 71 and 72 be defined as #1 o and 9 2 o p' 2l respectively. It is easy to verify that 7 — (71, 72) 
respects hi, and h'7 = h'9. Moreover for every yi € {yi, . . . , y n }, fn(y^i, yi& 2 ) C fh(h'0). 
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We can then apply the following series of rules: 

hhPKQ 

h'.(y,y)\(T,Ty.(x,xy.(L,Ly h (P | V) K p (Q \ U) 
4s 

^(y 1 p;,y 1 py\---.(y„p;,y n py\(Tpi,Tp^)\(af,x)\(V 1 ,Lp^)° h {P6 1 \ Up[) K ps (Q9 2 \ U p' 2 ) 

4/ 

h'e.(y lP [, y lP ' 2 y. ■ ■ ■ .(y n p[,y n p' 2 y.(Tp[,Tp' 2 y.(c, c)°.(ViPM Lp' 2 [c/x\)° 
h (P8 l I Up[[c/x}) TZ psf (Q9 2 | Up' 2 [c/x}) 
JJ- if 

h'UTpf^Tpl^.iLp^m, V 2 [<W I" (^i I ^i[c/^) ^ ps/ ™ (Q0 2 | ^P/f]) 

4= 

h'e.iTp'^Tp^y.iLp^c/x}^^/^) hA'[c/x] K psfw ^ B'[c/x] 

where B' = {Q9 2 \ Up' 2 [c/x\). 

7. Suppose that AQ\ — T -^> A' and the transition is driven by an output action by P9\ and an input action 

by R Pl . That is, P0 1 (vy)(Mi)P' and R Pl (x)R' and A' = {vy){P' \ R'[Mi/x]). Then we have 

- Q02 {vz){N 1 )Q l and h'0.(M, N)\{M x [c/x\, Ni[d/z\)° h P' TZ P Q', and 

— there exist p[, p' 2 , T and U such that pi < p[, p 2 < p' 2 , p[ ^ h ,g p' 2 , Tp[ = M and Up[ = R' and 

R P2 % (x)U P ' 2 . ^ 
By Lemma [Ml we know that h'6 h Tp[ <-> Tp' 2 . Since is consistent, and Tp[ — M, it must be the case 
that Tp' 2 = N. Let hi = h9.(M, N) 1 .(Mi[c/y\, Ni[d/ z\)° and let h 2 = h'0.(M, N)\(Mi[c/y\, Ni[d/z\)°. 
Obviously, h 2 \— c h\ and since hi is consistent, by Lemma 1581 we have that h 2 is also consistent. Now 
define a[ and a' 2 as follows 

a i = Pi U {a; Afi[c/y|} and a' 2 = p' 2 U{x^ Ni[d/z\}. 

It is easy to see that a[ ^>h 2 °2' We can now apply the following series of rules 

hl{M, N)\(Mi[c/y\, mid/ z\)° h P' K P Q' 
JJ-P 

h'9.(M,N)\{Mi[c/y\,Ni[d/A)° h (P' | Ua[) K p (Q' \ Ua' 2 ) 

JJ- w 

tie h (p' I £/ CT i) 7^ (Q' I [/^) 

JJ- ri 

h'OY- { V y)(P' I 1/piIMi/a:]) K pw{ri) {vz){Q' \ Up' 2 [Ni/x\) 

JJ-= 

h'6 h A' H pw ( ri )= B' 

where P' ee (2/0) (Q' | Up' 2 [Ni/x\). 

8. Suppose — > A' and the transition is driven by an input by P9\ and an output by Rp\. That is, 

P9 1 (x)P' and Ppi {vy){M x )R' and A' ee (i/y)(P'[M x /a;] | R'). Then we have 

- Q6 2 (x)Q' and h6.(M, N)\(x, x) 1 h P' ft p Q', and 

— there exist pj,, ^\ ^ arL d t/ such that pi < p[, p 2 < p' 2 , p[ ^ h ,g p 2 , T Pl = M, Kp[ = Mi, 

Up[ — R' (we can assume w.l.o.g. that y are fresh w.r.t. p[ and p' 2 ) and Rp 2 ^> (vy)(K p' 2 )U p' 2 . 
Using a similar argument as in the previous case, we can show that Tp' 2 = N. Let us now construct a 
bi-trace as follows: 

hi = h'9.(M,Ny UvY :(Kp[,Kp' 2 )° '.(x, X y . 
It is straightforward to show that 

hi C c h9.(M, Ny.(x,xy, 

that hi is consistent (it is sufficient to show that h'6 h Kp\ <-> K p' 2 , using Lemma [5l|) and that p[ p' 2 . 
In the following, we use the following denotations for some terms: 
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- Mi = Kp' lf JVi - Xp' 2) 

- M 2 = Mi[c/y],iV 2 = iVi[c/y], 

where {c} n m(h'0) — 0. We can now apply the following up-to rules: 

h6.(M, Ny.(x, xY h P' P p Q' 

h'e.iM^YUyy^N^.ix^y h (p' | cy x ) p p (Q' | C7 P2 ) 

i).s 

h'9.{M,Ny.(y,y) i .(M 1 ,N 1 )°.{M 1 ,N i y h (P'fMi/x] | Z7pi) (QW*] | Pp 2 ) 

4/ 

/i'0.(M,iV) l .(c,c) o .(M 2 ,iV 2 ) o .(M 2 ,7V 2 ) 1 h (P'[M 2 /x] | Upltf/fi) K psf (Q'[N 2 /x] \ Up' 2 [c/$) 

JJ- w 

h'OV- (P'[M 2 /x] | C/p'Jc/y]) P ps/t0 (Q'[JV 2 /a:] | Pp 2 [c/^) 

JJ- ri 

h'OV- (py)(P'[Mi/x] | Up',) Tl psfw(ri) (uy)(Q'[Ni/x\ \ Up' 2 ) 
h'9 h A' lZ ps f w ( ri )= B' 

where P' = (i^)(Q'[JVi/a:] | Up' 2 ). 

□ 

Corollary 66. For every t <E {w, c, s, i, /, r,p}, (~ )t = ~o • 
6 Soundness of open bisimilarity 

We now show that open bisimilarity is sound with respect to testing equivalence. 
Theorem 67. If P ~ G Q then P ~ Q. 

Proof. Suppose P ^ Q Q. Note that by Definition [50l P and Q are pure processes. Let R be a pure process. 
We have to show that the transitions of (P | R) can be matched by (Q | R) and vice versa. We show here 
the first case, the other case can be proved using a symmetric argument. 
Suppose 

P | R Pi ■ • ■ ^ P„ A 

for some Pi,... ,P n ,/3 and A We show that this sequence of transitions can be matched by Q. Note that 
since both P and P are pure processes, every Pj is also a pure process. Since P ~ D Q, we have ft h P « Q Q 
for some universal bi-trace ft. Since « is closed under bi-trace contraction, we can assume without loss of 
generality that ft contains all the free names of P,Q and R. By Proposition[65l we have ft h (P | P) « (Q |P), 
which means that, by Definition I50[ there are Q\, . . . , Q n such that 

Q I P — ► Qi — > • • ■ — ► Qn 
and ft. h Pi « Qi for each i 6 {1, . . . , n}. In particular, ft h P„ w Q Q„, therefore we have 

Qn P> 

for some B and /3' such that ft h /? <-» . But since /3 contains no rigid names, by Lemma Ell it must be the 
case that (3' — (3. We therefore have 

Q | P Qi • • • Q„ P. 

□ 



30 



7 An example 



This example demonstrates the use of the up-to techniques in proving bisimilarity. This example is adapted 
from a similar one in [5]. Let P and Q be the following processes: 

P = a(x).(fk)a{{x} k ).(vm)a({m} {a}k ).m(a).0 

Q = a(x).(vk)a{{x} k ).(vm)a({m} {a]k ).[x = a]ra(a).0 

Let 1Z be the least set such that: 

(a,a)°hPRQ, (a, a)°.(x, xf h P x K Q u 
(a, a)°.(x, x)\{{x} k , {x} k )° h P 2 K Q 2 , 

(a, a)°.(z, ^.({xjk, {x} k )°.({m} {a}k , {m} {a}k )° hP 3 K Q 3 , 

(a, a)°.(a, a) l .({a} k , {a} k )°.({m} {a}k , {m} {a}k )°.(m, m)\(a, a)»hflK 0, 

where 

Pi = (vk)a({x} k ).(vm)a({m} {&}k ).fh(a).0, 
Qi = (uk)a{{x} k ) .{vm)a{{m} {a}fc ) \x = a]m(a).0, 
P 2 = (vm)a{{m} {ll} J.m(a).0, Q 2 = (^m)a({m} {a}k }.[a; = a]m(a).0, 
P 3 = m(a}.0, Q 3 = [x = a]m(a}.0. 

Let 7Z' be the symmetric closure of 1Z. Then it is easy to see that TV is an open bisimulation up-to contraction 
and substitutions. For instance, consider the traced process pair h h m(a).0 VJ [x = a]m(a}.0 
where h = (a, a)°.(x, x) l .({x} k , {x} k )°.({m}{ a j k , {m}{ a j k )°. Let 9 — (0i,9 2 ) be an /i-respectful substitution. 
Since x is the only name in h, we have 

^=(a,a)°.( S ,i) l .({ S } k ,{i}k)°.({m} {a}k ,{m} {a}k r, 

where s = xQ\ and t = x6 2 . We have to check that every detectable action from m(a).0 can be matched by 
[t — a]m(a).0. If t ^ a, then s ^ a (by the consistency of h9), therefore, TTi(h9) \f m, i.e., the action m is 
not detected by the environment, so this case is trivial. If t = a, then s = a and h9 h m <-> m, so both ^36*1 
and Q 3 9 2 can make a transition on channel m. Their continuation is the traced process pair 

(a, a)°.(a, a)\({a} k , {a} k )°.({m} {a}k , {m} {a}k )°.(m, m) l .(a, a)° h W 

which is in the set 1Z' ', hence also in 7?.' cs (up-to contraction and substitution on 7Z'). Therefore by Proposi- 
tionHSl (a,a)° h P « D g. 



8 Congruence results for open bisimilarity 

In this section we show that the relation ~ D on pure processes is an equality relation (reflexive, symmetric, 
transitive) and is closed under arbitrary pure process contexts. We need some preliminary lemmas to show 
that ~ is an equivalence relation. Most of these lemmas concern properties of reflexive observer theories, 
i.e., theories in which their first and second projections are equal sets. 

Lemma 68. Let M be a pure message. Then fhA/n M for any theory r. 

Lemma 69. Let r be a theory such that m(r) = n 2 {r). If T h M <-> N , then M = N. 

Proof. By simple induction on the height of the derivation of r *- M «-» N. □ 

Lemma 70. Let P be a theory such that TTi(r) = Tr 2 (r). Then r is a consistent theory. 

Proof. We show that -T satisfies the list of properties specified in Definition [TT] The first and the third 
properties follow immediately from Lemma For the second property, we need to show that whenever T h 
{M}n <-> {M}n, then ni(r) h N (or 7r 2 (r) h N) implies r h N ^ N. This can be proved straightforwardly 
by induction on the length of derivations, that is, we simply mimic the rules applied in TTi(r) h N to prove 

r h n <-> n. □ 
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Lemma 71. Let h be a consistent bi-trace such that ni(h) = Tr 2 (h). If 6 — (d±, 82) respects h, then ivi(hd) = 
TT 2 (h6) and for every x € fn(h), x9\ = x8 2 . 

Proof. By induction on the size of h. The non-trivial case is when h = h'.(M, M) 1 . By the induction hypoth- 
esis, we have that iri(h'd) = ^(h'd), therefore by Lemma |6"51 M6\ — M8 2 . Moreover, since 8 respects h, it 
is the case that h'B h x8\ «-> x8 2 , and again by Lemma [Ml xQ\ = x6 2 . □ 

Lemma 72. Let h = h'.(M, M)° be a bi-trace such that h' is consistent, tti(/i') = TT 2 [h') and fn(M) C fn(h'). 
Then h is a consistent bi-trace. 

Proof. We have to show that for every ^/-respectful substitution pair 8 = (6i, 62), {hO} is a consistent theory. 
From Lemma [7T1 it follows that m(h% = n 2 (h'(f). And since fn(M) C ia(h'), we have M61 = M8 2 and 
TTi(h8) — Tr 2 (hd). Therefore by Lemma [701 {h8} is a consistent theory. Thus, h is a consistent bi-trace. □ 

Lemma 73. The set 

7Z = {(h, P, P) I (h, P, P) is a traced process pair, h is consistent and ni(h) — n 2 (h)} 
is an open bisimulation. 

Proof. TZ is obviously symmetric and consistent. It remains to show that it is closed under one-step transi- 
tions. Suppose h h P TZ P and 8 = {61,62) respects h. Note that P6\ = P82 since 8\ and 82 coincide on the 
domain fn(/i) by Lemma l7ll (recall that the free names of P are among the free names in h). 

1. Suppose P6\ — > P' . Since P8\ = P8 2 , we have P8 2 — > P', and since /i6* is consistent, we have 
h8V P' TZ P'. 

2. Suppose P6x (x)P', a: £ fii(ftfl), and tti(/i0) h M. Then P0 2 (x)P', and since ft,0 is consistent, 
by Lemma [30l we have hd h M <-> N for some AT. By Lemma l69l we have TV = M. This, together with 
the fact that hd.(M, M) 1 h x <-> ar, entail that hd.(M,M) 1 .(x,x) 1 is consistent and therefore 

hd.(M,M) l .(x,x) 1 hP'K P'. 

3. Suppose P0i (vx){N)P', and {c}nrn(/i0, P6 1 ,Q8 2 ) = 0, and tti(/i0) h M. Then P0 2 (vx)(N)P' 
and following the same argument as in the previous case, we show that h6.(M,M) % is consistent. From 
Lemma 1721 it follows that hd.(M, M) l .(N[c/x], N[c/x))° is also consistent, therefore 

hd.(M,M) l .(N[c/x\, N[c/x\)° h P'[c/f] P P'[c/x|. 

□ 

Definition 74. Given two sets of traced process pairs 1Z\ and 7Z 2 , their composition is defined as follows: 

1Z\ o TZ2 = {(h\ o h 2 ,P,R) \hi\-PTZQ,h 2 \^Q TZ2 R and hi is left- compos able with ft. 2 }- 

Lemma 75. IfTZ\ andTZ2 are open bisimulations then TZ\ oTZ 2 is also an open bisimulation. 

Proof. The symmetry of TZi o TZ2 follows from the symmetry of TZi and TZ2 and its consistency follows from 
the fact that compositions of consistent bi-traces yield consistent bi-traces (Lemma U7J- It remains to show 
that TZi o TZ2 is closed under one-step transitions. In the following TZ denotes the set TZi o 1Z2- Suppose 
hi o h 2 h P TZ R and 9 = (61,82) respects hi o h 2 . From the definition of TZ we have that hi h P TZi Q 
and h 2 \~ Q TZ 2 R for some Q. It follows from Lemma 06] that there exists a substitution p such that (8i,p) 
respects hi and (p,8 2 ) respects h 2 . 

1. Suppose P61 P'. Then Qp Q' and P<9 2 P' for some Q' and P/ such that hi(8 x ,p) h P' Pi Q' 
and /i 2 (p, 6> 2 ) I" Q' P 2 P'- Therefore (/ii o /i 2 )0 h P' P P'. 

2. Suppose P(9i (ar)P', where a: £ fii(ftfl) and 7ri((/iio/i 2 )(9) h M. Then Qp (aj)Q' and P0 2 (x)P' 
for some N, U , Q' and P' such that 
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- h 1 (9 1 ,p).(M,N) i .(x 1 x) i h P' Tlx Q', and 

- h 2 (p, e 2 ).(N, U)\(x, x) 1 h Q' TZ 2 R'. 
Therefore (hi o h 2 )9.(M, U)\(x,xY h P' TZ R' . 

3. Suppose P6 X (vx)(M')P' for some M, M' and P'. Then Qp (vy)(N')Q' and P<9 2 (vz)(U')R' 
for some Q', R', N,U, N' and C/' such that 

- / ll (0 1 ,p).(Af,iV) l .(Af'[c/f],7V'[d/^) h P'[c/f] Tl x Q'[d/y\, and 

- haipJiUNiUy.iN'fi/foU'Wfiy h Q'[d/y\ TZ 2 R'[e/y\, 

where c, d and e satisfy the freshness condition in Definition [SU] Therefore 

Oi o h 2 )6.(M, uy.{M'[c/x], U'[e/z\)° h P'[c/x\ TZ R'[e/z\. 

a 

Theorem 76. The relation ^ D is an equivalence relation on pure processes. 

Proof. The symmetry of ~ follows from the symmetry of ~ D . For the reflexivity, from Lemma [73] we know 
that there is a bisimulation TZ that contains (h, P, R) for any pure process R and any universal trace h such 
that fn(-R) C in(h). Therefore TZ C~„ and R ~ R for all pure process R. For transitivity, from Lemma [751 
we know that (« Q ) o (« D ) is an open bisimulation, hence (« ) o (« D ) C « (because « Q is the largest open 
bisimulation). Now suppose P ~ Q and Q ^ D R- This means that for some hi and (^i> P, Q) G~o and 
(h 2 ,Q,R) G~ c . Using Proposition 1651 we can introduce arbitrary pairs of input names to a traced process 
pair while still preserving their bisimilarity. It thus follows that there is an h such that fn(hi, h 2 ) C fh(/i), 
(h, P, Q) e« and (h, Q, R) e« c . Therefore, by Lemma 1751 (/i, P, R) hence P ~ D P. □ 

Having established that ^ D is indeed an equivalence relation on pure processes, we proceed to showing 
that it is also a congruence, for finite pure processes. 

Lemma 77. h.(x, x) 1 h P « Q Q «/ and on/y if h\- M(x).P « N(x).Q where h\- M N and x £ fn(h). 

Proof. Suppose h.(x, x) 1 h P « Q. Then there exists an open bisimulation 72. such that h.(x, x) 1 h P TZ Q. 
Define the relation TZi as follows: 

Tli = {(h,M(x).P,N(x).Q) I h.(x,x) 1 \- P TZ Q and /iI-Mh TV}. 

It is easy to show that 72-i is an open bisimulation, therefore, h h M(x).P « G N(x).Q for any /i h M <-> iV. 
Conversely, suppose that /i h M[x).P TZ N(x).Q and /ihM« AT, for some open bisimulation TZ C « G . 

Since the empty substitution pair (e, e) respects /i and since M(x).P — > (x)P and N(x).Q -^-> (x)Q, we 
obviously have h.(M, N) 1 .(x,xY \- P TZ Q, therefore h.(x,x) 1 h P 72. tt Q. By Proposition [551 this implies 
/i.(a;,a;) 1 h P w Q. □ 

Lemma 78. If hi.(x,xY .(y,yY .h 2 \- P w G Q , where x,y $ fn(hi, h 2 ), then hi. (y,yY .(x,xY .h 2 h P w Q. 

Proof. We make use of soundness of the up-to techniques (Proposition [(55]) , more specifically, the up-to 
contraction and substitutions. Note that a consequence of Proposition [S5J is that (~ )t =~o for any t e {= 
, s, f,w,c,r,p}. The applications of the up to techniques are as follows: 

hi.(x, X y.(y, y)\h 2 hP «„ Q 
JJ. contraction, a;', y' new names 
hi.(yi,yiY.(x',x'Y.(x,xY.(y,yy.h 2 h P «„ Q 
JJ. substitution 

/ii.(l/ , J l/) i .(i , ,^) < .(a: / J a/) < .(tf , 1 tf , ) i .ftal-P[a;7i >y / / I /] «„ QW/xrf/y] 
JJ. weakening 

'n-fe'.^.^.^^al-P^y'/if] «» QWM/y] 

JJ. substitution 

hi.(y,yy.(x,x)\h 2 hP «„ Q 

□ 
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Theorem 79. The relation ^ a is a congruence on finite pure processes. 

Proof. We show the relation ^ G are closed under all process contexts (except, of course, replication). It is 
enough to show closure under elementary context. 

Input prefix Suppose P ~ D Q and a; is a free name in P and Q. We show that M(x).P ^ M(x).Q for 
all pure message M. By definition, h\.(x, xf .h^ h P « Q for some bi-trace hi.(x, x) % .h>2- We assume 
that h\.hi contains all the names in M; otherwise apply the contraction rule to extend it to cover all the 
names in M. This can be done because ~ is closed under bi-trace extensions (Proposition R)5|) . We then 
apply Lemma [751 to move the pair (x,x) to the end of the list. That is, we have h\.h2.{x,x) 1 h P ~ e Q. 
Note that since M is an pure message, by Lemma[f)51 hi-h 2 h M <-> M. We can therefore apply LemmalTTI 
to get h x .h 2 h M{x).P ~ M(x).Q. 

Output prefix Suppose P ~ Q Q, i.e., h \- P « Q. We show that h h M(N).P *„ M{N).Q, for any 
pure messages M and TV. This amounts to showing that h.(M, M) % .(N, N)° h P ss Q. This is indeed 
the case since h.(M, M) 1 .(N, N) 1 C c ft and « is closed under contraction of bi-traces. 

Parallel composition Suppose h h P w Q Q. Let P be any pure process. Then by Proposition 
ft-' h (P | P) rs (Q | P) for some universal trace ft' containing all the names of P, Q and P. Therefore, 
(P | P) « (Q | P). The left-composition, i.e., (P | P) ^ D (P | Q) is proved analogously. 

Restriction Suppose P ~ Q Q, where h\.{x, x) l .h2 h P « Q Q. We first use Lemma [751 to obtain 
hi.h2-(x,x) 1 h P w Q. This is then followed by an up-to flexible-rigid reversal on a;, weakening 
and finally the restriction, to get fti.ft.2 \~ (vx)P ~ G (i/x)(3. Therefore, (vx)P ^ (vx)Q. 

Matching In this case we first show the soundness of an up-to matching technique: Given a consistent set 
of traced process pairs 7Z, define lZ m the smallest set containing 1Z and closed under the rule 

h h P 1Z Q, M and N are pure messages such that fn(M, N) C fn(ft) 
ft h [M = N]P K m [M = N]Q 

and show that lZ m is an open bisimulation whenever 1Z is. This relies on the fact that, for any consistent 
bi-trace ft and ft-respectful substitution pair 8 = (61,62), it holds that h6 h M61 <-> M^2 and ft^ h 
N61 <-> A^^, and therefore by the consistency of h6, M61 — N&i if and only if M6 2 = N&2- From this, 
it then follows that (~ )m =~o ■ 

We now show that P ^ Q implies [M — N]P ^ [M — N]Q, for any pure messages M and N. Suppose 
that ft h P « Q. Note that M and N may contain free names which are not free in P and Q, so we 
need to extend ft to a universal trace ft' containing all the names in P, Q, M and N. It would then follow 
that ft' h [M = N]P (~ ) cm [M = N]Q, and therefore [M = N]P ~ c [M = N]Q. 
Pairing As in the previous case, we show that open bisimulation is closed under the following rule: given a 
relation 1Z, define TZi to be the smallest relation containing 1Z and closed under the rule 

h.(x,x) l .(y,yY h P TZ Q, x,y fn(ft), M is an pure message and fh(M) C fn(ft) 
ft h (let (x, y) = M in P) Ki (let (x, y) = M in Q) 

We show that IZi is an open bisimulation up-to contraction, given that TZ is an open bisimulation. Let 
us examine one case here involving input action; the other two cases can be handled similarly. Suppose 

ft h (let (x, y) = M in P) TZi (let (x, y) = M in Q), 

and h.(x,x) 1 .(y,y) 1 V P TZ Q. Let 9 — (61,62) be a substitution pair respecting ft. We assume w.l.o.g. 
that x £ dom(#i). Suppose 

let (x,y) = M61 in P61 (z)P'. 

It must be the case that M8 X = (Mi,M 2 ), M6 2 = (M[,M£), h6 h M x «-> M 2 and hd h M{ «-> and 
P6i[Mi/ x, M 2 / y] —* (z)P'. Define the substitution pair 9[ and 6' 2 as follows: 

6\ = 81 U {Mi/a;, M 2 /y} and 6' 2 = 8 2 U {M[/x, M' 2 /y}. 
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It is easy to see that (#'1,6*2) respects h.(x, x) l .(y, y) l 7 therefore we have Q6' 2 — ► (z)Q' for some V and 
Q' such that 

he.(M u M[)\{M 2 , Mtf.(U, V)\{z, zf h P' Tli Q'. 

Note that since fn(M) C fn(/i), the free names of M%, M2, M[ and are all in h9. We can therefore 
apply the weakening rule to the above traced process pair to get 

h9.(U,V) l .{z lZ ) l h P' {1li) c Q'. 

Hence IZi C « G by Proposition [551 

Now we show that if P ^ a Q then (let (x, y) = M in P) ^ Q (let (x, y) = M in Q) for any pure message 
M. We can assume that h.(x, x) l .(y, y) 1 h P ss Q for some universal trace /i (by applying contraction 
and Lemma [78] to move the input pairs for x and y), and that fn(M) C fn(/i). The latter means that x 
and ?/ are not in fn(M). This is not a limitation since we can always apply renaming to x and y in P 
and Q (recall that w Q is also closed under respectful substitution) before we close it under the pairing 
context. Since (~ )i —~o, we can apply the above closure rule and obtain 

h h (let (x, y) = M in P) ra (let (x, y) = M in Q) 

and therefore (let (x, y) = M in P) ~ D (let (x, y) — M in Q). 
Encryption This case is proved analogously to the case with pairing. In this case, we define the closure 
under the case-expression: Let 1Z be a relation. Then lZ e is the smallest relation containing 1Z and closed 
under the rule 

h.(x, x) 1 h P 7Z Q, x $ fh(/i), M and TV are pure messages and fn(M, N) C fn(/i) 
ft, h (case M of {x}jv in P) Tie (case M of {x}n in Q) 

As in the previous case, we can show that lZ e C « , and therefore (« ) e = « . The rest of the proof 
proceeds similarly to the previous case. 

□ 

9 Conclusion and future work 

We have shown a formulation of open bisimulation for the spi-calculus. In this formulation, bisimulation is 
indexed by pairs of symbolic traces that concisely encode the history of interactions between the environment 
with the processes being checked for bisimilarity. We show that open bisimilarity is a congruence for finite 
processes and is sound with respect to testing equivalence. For the latter, we note that with some minor 
modifications, we can also show soundness of open bisimilarity with respect to barbed congruence. Our 
formulation is directly inspired by hedged bisimulation [B]. In fact, open bisimilarity can be shown to be 
sound with respect to hedged bisimulation. Comparison with hedged bisimulation and other formulations of 
bisimulation for the spi-calculus is left for future work. 

It would be interesting to see how the congruence results extend to the case with replications or recursions. 
This will probably require a more general definition of the rule for up-to parallel composition. The definition 
of open bisimulation and the consistency of bi-traces make use of quantification over respectful substitutions. 
We will investigate whether there is a finite characterisation of consistent bi-traces. One possibility is to use 
a symbolic transition system, i.e., a transition system parameterised upon certain logical constraints, the 
solution of which should correspond to respectful substitutions. Some preliminary study in this direction is 
done in [7] for a variant of open bisimulation based on hedged bisimulation. Since the bi-trace structure we 
use is a variant of symbolic traces, we will also investigate whether the techniques used for symbolic traces 
analysis [3] can be adapted to our setting. 

Another interesting direction for future work is to find a proof search encoding of the spi-calculus and 
open bisimulation in a logical framework. This has been done for open bisimulation for the 7r-calculus [16] . 
in a logical framework based on intuitionistic logic [9]. The logic used in that formalization features a new 
quantifier, called V, which allows one to reason about "freshness" of names, a feature crucial to the correct 
formalization of the notion of name restriction in the 7r-calculus. An interesting aspect of this formalization is 
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the fact that quantifier alternation in logic, i.e., the alternation between universal quantifer and V, captures 
a certain natural class of name-distinctions. Adapted to our definition of open bisimulation, it would seem 
that rigid names should be interpreted as V quantified names, whereas non-rigid names should be interpreted 
universally quantified names. Details of such a proof search encoding for the spi-calculus are left for future 
work. 
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